• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* apps/req.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 
59 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
60  * deprecated functions for openssl-internal code */
61 #ifdef OPENSSL_NO_DEPRECATED
62 #undef OPENSSL_NO_DEPRECATED
63 #endif
64 
65 #include <stdio.h>
66 #include <stdlib.h>
67 #include <time.h>
68 #include <string.h>
69 #ifdef OPENSSL_NO_STDIO
70 #define APPS_WIN16
71 #endif
72 #include "apps.h"
73 #include <openssl/bio.h>
74 #include <openssl/evp.h>
75 #include <openssl/conf.h>
76 #include <openssl/err.h>
77 #include <openssl/asn1.h>
78 #include <openssl/x509.h>
79 #include <openssl/x509v3.h>
80 #include <openssl/objects.h>
81 #include <openssl/pem.h>
82 #include <openssl/bn.h>
83 #ifndef OPENSSL_NO_RSA
84 #include <openssl/rsa.h>
85 #endif
86 #ifndef OPENSSL_NO_DSA
87 #include <openssl/dsa.h>
88 #endif
89 
90 #define SECTION		"req"
91 
92 #define BITS		"default_bits"
93 #define KEYFILE		"default_keyfile"
94 #define PROMPT		"prompt"
95 #define DISTINGUISHED_NAME	"distinguished_name"
96 #define ATTRIBUTES	"attributes"
97 #define V3_EXTENSIONS	"x509_extensions"
98 #define REQ_EXTENSIONS	"req_extensions"
99 #define STRING_MASK	"string_mask"
100 #define UTF8_IN		"utf8"
101 
102 #define DEFAULT_KEY_LENGTH	512
103 #define MIN_KEY_LENGTH		384
104 
105 #undef PROG
106 #define PROG	req_main
107 
108 /* -inform arg	- input format - default PEM (DER or PEM)
109  * -outform arg - output format - default PEM
110  * -in arg	- input file - default stdin
111  * -out arg	- output file - default stdout
112  * -verify	- check request signature
113  * -noout	- don't print stuff out.
114  * -text	- print out human readable text.
115  * -nodes	- no des encryption
116  * -config file	- Load configuration file.
117  * -key file	- make a request using key in file (or use it for verification).
118  * -keyform arg	- key file format.
119  * -rand file(s) - load the file(s) into the PRNG.
120  * -newkey	- make a key and a request.
121  * -modulus	- print RSA modulus.
122  * -pubkey	- output Public Key.
123  * -x509	- output a self signed X509 structure instead.
124  * -asn1-kludge	- output new certificate request in a format that some CA's
125  *		  require.  This format is wrong
126  */
127 
128 static int make_REQ(X509_REQ *req,EVP_PKEY *pkey,char *dn,int mutlirdn,
129 		int attribs,unsigned long chtype);
130 static int build_subject(X509_REQ *req, char *subj, unsigned long chtype,
131 		int multirdn);
132 static int prompt_info(X509_REQ *req,
133 		STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
134 		STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs,
135 		unsigned long chtype);
136 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
137 				STACK_OF(CONF_VALUE) *attr, int attribs,
138 				unsigned long chtype);
139 static int add_attribute_object(X509_REQ *req, char *text, const char *def,
140 				char *value, int nid, int n_min,
141 				int n_max, unsigned long chtype);
142 static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value,
143 	int nid,int n_min,int n_max, unsigned long chtype, int mval);
144 static int genpkey_cb(EVP_PKEY_CTX *ctx);
145 static int req_check_len(int len,int n_min,int n_max);
146 static int check_end(const char *str, const char *end);
147 static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type,
148 					long *pkeylen, char **palgnam,
149 					ENGINE *keygen_engine);
150 #ifndef MONOLITH
151 static char *default_config_file=NULL;
152 #endif
153 static CONF *req_conf=NULL;
154 static int batch=0;
155 
156 int MAIN(int, char **);
157 
MAIN(int argc,char ** argv)158 int MAIN(int argc, char **argv)
159 	{
160 	ENGINE *e = NULL, *gen_eng = NULL;
161 	unsigned long nmflag = 0, reqflag = 0;
162 	int ex=1,x509=0,days=30;
163 	X509 *x509ss=NULL;
164 	X509_REQ *req=NULL;
165 	EVP_PKEY_CTX *genctx = NULL;
166 	const char *keyalg = NULL;
167 	char *keyalgstr = NULL;
168 	STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
169 	EVP_PKEY *pkey=NULL;
170 	int i=0,badops=0,newreq=0,verbose=0,pkey_type=-1;
171 	long newkey = -1;
172 	BIO *in=NULL,*out=NULL;
173 	int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
174 	int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0;
175 	char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
176 #ifndef OPENSSL_NO_ENGINE
177 	char *engine=NULL;
178 #endif
179 	char *extensions = NULL;
180 	char *req_exts = NULL;
181 	const EVP_CIPHER *cipher=NULL;
182 	ASN1_INTEGER *serial = NULL;
183 	int modulus=0;
184 	char *inrand=NULL;
185 	char *passargin = NULL, *passargout = NULL;
186 	char *passin = NULL, *passout = NULL;
187 	char *p;
188 	char *subj = NULL;
189 	int multirdn = 0;
190 	const EVP_MD *md_alg=NULL,*digest=NULL;
191 	unsigned long chtype = MBSTRING_ASC;
192 #ifndef MONOLITH
193 	char *to_free;
194 	long errline;
195 #endif
196 
197 	req_conf = NULL;
198 #ifndef OPENSSL_NO_DES
199 	cipher=EVP_des_ede3_cbc();
200 #endif
201 	apps_startup();
202 
203 	if (bio_err == NULL)
204 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
205 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
206 
207 	infile=NULL;
208 	outfile=NULL;
209 	informat=FORMAT_PEM;
210 	outformat=FORMAT_PEM;
211 
212 	prog=argv[0];
213 	argc--;
214 	argv++;
215 	while (argc >= 1)
216 		{
217 		if 	(strcmp(*argv,"-inform") == 0)
218 			{
219 			if (--argc < 1) goto bad;
220 			informat=str2fmt(*(++argv));
221 			}
222 		else if (strcmp(*argv,"-outform") == 0)
223 			{
224 			if (--argc < 1) goto bad;
225 			outformat=str2fmt(*(++argv));
226 			}
227 #ifndef OPENSSL_NO_ENGINE
228 		else if (strcmp(*argv,"-engine") == 0)
229 			{
230 			if (--argc < 1) goto bad;
231 			engine= *(++argv);
232 			}
233 		else if (strcmp(*argv,"-keygen_engine") == 0)
234 			{
235 			if (--argc < 1) goto bad;
236 			gen_eng = ENGINE_by_id(*(++argv));
237 			if (gen_eng == NULL)
238 				{
239 				BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
240 				goto end;
241 				}
242 			}
243 #endif
244 		else if (strcmp(*argv,"-key") == 0)
245 			{
246 			if (--argc < 1) goto bad;
247 			keyfile= *(++argv);
248 			}
249 		else if (strcmp(*argv,"-pubkey") == 0)
250 			{
251 			pubkey=1;
252 			}
253 		else if (strcmp(*argv,"-new") == 0)
254 			{
255 			newreq=1;
256 			}
257 		else if (strcmp(*argv,"-config") == 0)
258 			{
259 			if (--argc < 1) goto bad;
260 			template= *(++argv);
261 			}
262 		else if (strcmp(*argv,"-keyform") == 0)
263 			{
264 			if (--argc < 1) goto bad;
265 			keyform=str2fmt(*(++argv));
266 			}
267 		else if (strcmp(*argv,"-in") == 0)
268 			{
269 			if (--argc < 1) goto bad;
270 			infile= *(++argv);
271 			}
272 		else if (strcmp(*argv,"-out") == 0)
273 			{
274 			if (--argc < 1) goto bad;
275 			outfile= *(++argv);
276 			}
277 		else if (strcmp(*argv,"-keyout") == 0)
278 			{
279 			if (--argc < 1) goto bad;
280 			keyout= *(++argv);
281 			}
282 		else if (strcmp(*argv,"-passin") == 0)
283 			{
284 			if (--argc < 1) goto bad;
285 			passargin= *(++argv);
286 			}
287 		else if (strcmp(*argv,"-passout") == 0)
288 			{
289 			if (--argc < 1) goto bad;
290 			passargout= *(++argv);
291 			}
292 		else if (strcmp(*argv,"-rand") == 0)
293 			{
294 			if (--argc < 1) goto bad;
295 			inrand= *(++argv);
296 			}
297 		else if (strcmp(*argv,"-newkey") == 0)
298 			{
299 			if (--argc < 1)
300 				goto bad;
301 			keyalg = *(++argv);
302 			newreq=1;
303 			}
304 		else if (strcmp(*argv,"-pkeyopt") == 0)
305 			{
306 			if (--argc < 1)
307 				goto bad;
308 			if (!pkeyopts)
309 				pkeyopts = sk_OPENSSL_STRING_new_null();
310 			if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv)))
311 				goto bad;
312 			}
313 		else if (strcmp(*argv,"-batch") == 0)
314 			batch=1;
315 		else if (strcmp(*argv,"-newhdr") == 0)
316 			newhdr=1;
317 		else if (strcmp(*argv,"-modulus") == 0)
318 			modulus=1;
319 		else if (strcmp(*argv,"-verify") == 0)
320 			verify=1;
321 		else if (strcmp(*argv,"-nodes") == 0)
322 			nodes=1;
323 		else if (strcmp(*argv,"-noout") == 0)
324 			noout=1;
325 		else if (strcmp(*argv,"-verbose") == 0)
326 			verbose=1;
327 		else if (strcmp(*argv,"-utf8") == 0)
328 			chtype = MBSTRING_UTF8;
329 		else if (strcmp(*argv,"-nameopt") == 0)
330 			{
331 			if (--argc < 1) goto bad;
332 			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
333 			}
334 		else if (strcmp(*argv,"-reqopt") == 0)
335 			{
336 			if (--argc < 1) goto bad;
337 			if (!set_cert_ex(&reqflag, *(++argv))) goto bad;
338 			}
339 		else if (strcmp(*argv,"-subject") == 0)
340 			subject=1;
341 		else if (strcmp(*argv,"-text") == 0)
342 			text=1;
343 		else if (strcmp(*argv,"-x509") == 0)
344 			x509=1;
345 		else if (strcmp(*argv,"-asn1-kludge") == 0)
346 			kludge=1;
347 		else if (strcmp(*argv,"-no-asn1-kludge") == 0)
348 			kludge=0;
349 		else if (strcmp(*argv,"-subj") == 0)
350 			{
351 			if (--argc < 1) goto bad;
352 			subj= *(++argv);
353 			}
354 		else if (strcmp(*argv,"-multivalue-rdn") == 0)
355 			multirdn=1;
356 		else if (strcmp(*argv,"-days") == 0)
357 			{
358 			if (--argc < 1) goto bad;
359 			days= atoi(*(++argv));
360 			if (days == 0) days=30;
361 			}
362 		else if (strcmp(*argv,"-set_serial") == 0)
363 			{
364 			if (--argc < 1) goto bad;
365 			serial = s2i_ASN1_INTEGER(NULL, *(++argv));
366 			if (!serial) goto bad;
367 			}
368 		else if (strcmp(*argv,"-extensions") == 0)
369 			{
370 			if (--argc < 1) goto bad;
371 			extensions = *(++argv);
372 			}
373 		else if (strcmp(*argv,"-reqexts") == 0)
374 			{
375 			if (--argc < 1) goto bad;
376 			req_exts = *(++argv);
377 			}
378 		else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
379 			{
380 			/* ok */
381 			digest=md_alg;
382 			}
383 		else
384 			{
385 			BIO_printf(bio_err,"unknown option %s\n",*argv);
386 			badops=1;
387 			break;
388 			}
389 		argc--;
390 		argv++;
391 		}
392 
393 	if (badops)
394 		{
395 bad:
396 		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
397 		BIO_printf(bio_err,"where options  are\n");
398 		BIO_printf(bio_err," -inform arg    input format - DER or PEM\n");
399 		BIO_printf(bio_err," -outform arg   output format - DER or PEM\n");
400 		BIO_printf(bio_err," -in arg        input file\n");
401 		BIO_printf(bio_err," -out arg       output file\n");
402 		BIO_printf(bio_err," -text          text form of request\n");
403 		BIO_printf(bio_err," -pubkey        output public key\n");
404 		BIO_printf(bio_err," -noout         do not output REQ\n");
405 		BIO_printf(bio_err," -verify        verify signature on REQ\n");
406 		BIO_printf(bio_err," -modulus       RSA modulus\n");
407 		BIO_printf(bio_err," -nodes         don't encrypt the output key\n");
408 #ifndef OPENSSL_NO_ENGINE
409 		BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device\n");
410 #endif
411 		BIO_printf(bio_err," -subject       output the request's subject\n");
412 		BIO_printf(bio_err," -passin        private key password source\n");
413 		BIO_printf(bio_err," -key file      use the private key contained in file\n");
414 		BIO_printf(bio_err," -keyform arg   key file format\n");
415 		BIO_printf(bio_err," -keyout arg    file to send the key to\n");
416 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
417 		BIO_printf(bio_err,"                load the file (or the files in the directory) into\n");
418 		BIO_printf(bio_err,"                the random number generator\n");
419 		BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
420 		BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
421 #ifndef OPENSSL_NO_ECDSA
422 		BIO_printf(bio_err," -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
423 #endif
424 		BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
425 		BIO_printf(bio_err," -config file   request template file.\n");
426 		BIO_printf(bio_err," -subj arg      set or modify request subject\n");
427 		BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n");
428 		BIO_printf(bio_err," -new           new request.\n");
429 		BIO_printf(bio_err," -batch         do not ask anything during request generation\n");
430 		BIO_printf(bio_err," -x509          output a x509 structure instead of a cert. req.\n");
431 		BIO_printf(bio_err," -days          number of days a certificate generated by -x509 is valid for.\n");
432 		BIO_printf(bio_err," -set_serial    serial number to use for a certificate generated by -x509.\n");
433 		BIO_printf(bio_err," -newhdr        output \"NEW\" in the header lines\n");
434 		BIO_printf(bio_err," -asn1-kludge   Output the 'request' in a format that is wrong but some CA's\n");
435 		BIO_printf(bio_err,"                have been reported as requiring\n");
436 		BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
437 		BIO_printf(bio_err," -reqexts ..    specify request extension section (override value in config file)\n");
438 		BIO_printf(bio_err," -utf8          input characters are UTF8 (default ASCII)\n");
439 		BIO_printf(bio_err," -nameopt arg    - various certificate name options\n");
440 		BIO_printf(bio_err," -reqopt arg    - various request text options\n\n");
441 		goto end;
442 		}
443 
444 	ERR_load_crypto_strings();
445 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
446 		BIO_printf(bio_err, "Error getting passwords\n");
447 		goto end;
448 	}
449 
450 #ifndef MONOLITH /* else this has happened in openssl.c (global `config') */
451 	/* Lets load up our environment a little */
452 	p=getenv("OPENSSL_CONF");
453 	if (p == NULL)
454 		p=getenv("SSLEAY_CONF");
455 	if (p == NULL)
456 		p=to_free=make_config_name();
457 	default_config_file=p;
458 	config=NCONF_new(NULL);
459 	i=NCONF_load(config, p, &errline);
460 #endif
461 
462 	if (template != NULL)
463 		{
464 		long errline = -1;
465 
466 		if( verbose )
467 			BIO_printf(bio_err,"Using configuration from %s\n",template);
468 		req_conf=NCONF_new(NULL);
469 		i=NCONF_load(req_conf,template,&errline);
470 		if (i == 0)
471 			{
472 			BIO_printf(bio_err,"error on line %ld of %s\n",errline,template);
473 			goto end;
474 			}
475 		}
476 	else
477 		{
478 		req_conf=config;
479 
480 		if (req_conf == NULL)
481 			{
482 			BIO_printf(bio_err,"Unable to load config info from %s\n", default_config_file);
483 			if (newreq)
484 				goto end;
485 			}
486 		else if( verbose )
487 			BIO_printf(bio_err,"Using configuration from %s\n",
488 			default_config_file);
489 		}
490 
491 	if (req_conf != NULL)
492 		{
493 		if (!load_config(bio_err, req_conf))
494 			goto end;
495 		p=NCONF_get_string(req_conf,NULL,"oid_file");
496 		if (p == NULL)
497 			ERR_clear_error();
498 		if (p != NULL)
499 			{
500 			BIO *oid_bio;
501 
502 			oid_bio=BIO_new_file(p,"r");
503 			if (oid_bio == NULL)
504 				{
505 				/*
506 				BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
507 				ERR_print_errors(bio_err);
508 				*/
509 				}
510 			else
511 				{
512 				OBJ_create_objects(oid_bio);
513 				BIO_free(oid_bio);
514 				}
515 			}
516 		}
517 	if(!add_oid_section(bio_err, req_conf)) goto end;
518 
519 	if (md_alg == NULL)
520 		{
521 		p=NCONF_get_string(req_conf,SECTION,"default_md");
522 		if (p == NULL)
523 			ERR_clear_error();
524 		if (p != NULL)
525 			{
526 			if ((md_alg=EVP_get_digestbyname(p)) != NULL)
527 				digest=md_alg;
528 			}
529 		}
530 
531 	if (!extensions)
532 		{
533 		extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
534 		if (!extensions)
535 			ERR_clear_error();
536 		}
537 	if (extensions) {
538 		/* Check syntax of file */
539 		X509V3_CTX ctx;
540 		X509V3_set_ctx_test(&ctx);
541 		X509V3_set_nconf(&ctx, req_conf);
542 		if(!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
543 			BIO_printf(bio_err,
544 			 "Error Loading extension section %s\n", extensions);
545 			goto end;
546 		}
547 	}
548 
549 	if(!passin)
550 		{
551 		passin = NCONF_get_string(req_conf, SECTION, "input_password");
552 		if (!passin)
553 			ERR_clear_error();
554 		}
555 
556 	if(!passout)
557 		{
558 		passout = NCONF_get_string(req_conf, SECTION, "output_password");
559 		if (!passout)
560 			ERR_clear_error();
561 		}
562 
563 	p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
564 	if (!p)
565 		ERR_clear_error();
566 
567 	if(p && !ASN1_STRING_set_default_mask_asc(p)) {
568 		BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
569 		goto end;
570 	}
571 
572 	if (chtype != MBSTRING_UTF8)
573 		{
574 		p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
575 		if (!p)
576 			ERR_clear_error();
577 		else if (!strcmp(p, "yes"))
578 			chtype = MBSTRING_UTF8;
579 		}
580 
581 
582 	if(!req_exts)
583 		{
584 		req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
585 		if (!req_exts)
586 			ERR_clear_error();
587 		}
588 	if(req_exts) {
589 		/* Check syntax of file */
590 		X509V3_CTX ctx;
591 		X509V3_set_ctx_test(&ctx);
592 		X509V3_set_nconf(&ctx, req_conf);
593 		if(!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
594 			BIO_printf(bio_err,
595 			 "Error Loading request extension section %s\n",
596 								req_exts);
597 			goto end;
598 		}
599 	}
600 
601 	in=BIO_new(BIO_s_file());
602 	out=BIO_new(BIO_s_file());
603 	if ((in == NULL) || (out == NULL))
604 		goto end;
605 
606 #ifndef OPENSSL_NO_ENGINE
607         e = setup_engine(bio_err, engine, 0);
608 #endif
609 
610 	if (keyfile != NULL)
611 		{
612 		pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
613 			"Private Key");
614 		if (!pkey)
615 			{
616 			/* load_key() has already printed an appropriate
617 			   message */
618 			goto end;
619 			}
620 		else
621 			{
622 			char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
623 			if (randfile == NULL)
624 				ERR_clear_error();
625 			app_RAND_load_file(randfile, bio_err, 0);
626 			}
627 		}
628 
629 	if (newreq && (pkey == NULL))
630 		{
631 		char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
632 		if (randfile == NULL)
633 			ERR_clear_error();
634 		app_RAND_load_file(randfile, bio_err, 0);
635 		if (inrand)
636 			app_RAND_load_files(inrand);
637 
638 		if (keyalg)
639 			{
640 			genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
641 							&keyalgstr, gen_eng);
642 			if (!genctx)
643 				goto end;
644 			}
645 
646 		if (newkey <= 0)
647 			{
648 			if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
649 				newkey=DEFAULT_KEY_LENGTH;
650 			}
651 
652 		if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
653 			{
654 			BIO_printf(bio_err,"private key length is too short,\n");
655 			BIO_printf(bio_err,"it needs to be at least %d bits, not %ld\n",MIN_KEY_LENGTH,newkey);
656 			goto end;
657 			}
658 
659 		if (!genctx)
660 			{
661 			genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey,
662 							&keyalgstr, gen_eng);
663 			if (!genctx)
664 				goto end;
665 			}
666 
667 		if (pkeyopts)
668 			{
669 			char *genopt;
670 			for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++)
671 				{
672 				genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
673 				if (pkey_ctrl_string(genctx, genopt) <= 0)
674 					{
675 					BIO_printf(bio_err,
676 						"parameter error \"%s\"\n",
677 						genopt);
678 					ERR_print_errors(bio_err);
679 					goto end;
680 					}
681 				}
682 			}
683 
684 		BIO_printf(bio_err,"Generating a %ld bit %s private key\n",
685 				newkey, keyalgstr);
686 
687 		EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
688 		EVP_PKEY_CTX_set_app_data(genctx, bio_err);
689 
690 		if (EVP_PKEY_keygen(genctx, &pkey) <= 0)
691 			{
692 			BIO_puts(bio_err, "Error Generating Key\n");
693 			goto end;
694 			}
695 
696 		EVP_PKEY_CTX_free(genctx);
697 		genctx = NULL;
698 
699 		app_RAND_write_file(randfile, bio_err);
700 
701 		if (keyout == NULL)
702 			{
703 			keyout=NCONF_get_string(req_conf,SECTION,KEYFILE);
704 			if (keyout == NULL)
705 				ERR_clear_error();
706 			}
707 
708 		if (keyout == NULL)
709 			{
710 			BIO_printf(bio_err,"writing new private key to stdout\n");
711 			BIO_set_fp(out,stdout,BIO_NOCLOSE);
712 #ifdef OPENSSL_SYS_VMS
713 			{
714 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
715 			out = BIO_push(tmpbio, out);
716 			}
717 #endif
718 			}
719 		else
720 			{
721 			BIO_printf(bio_err,"writing new private key to '%s'\n",keyout);
722 			if (BIO_write_filename(out,keyout) <= 0)
723 				{
724 				perror(keyout);
725 				goto end;
726 				}
727 			}
728 
729 		p=NCONF_get_string(req_conf,SECTION,"encrypt_rsa_key");
730 		if (p == NULL)
731 			{
732 			ERR_clear_error();
733 			p=NCONF_get_string(req_conf,SECTION,"encrypt_key");
734 			if (p == NULL)
735 				ERR_clear_error();
736 			}
737 		if ((p != NULL) && (strcmp(p,"no") == 0))
738 			cipher=NULL;
739 		if (nodes) cipher=NULL;
740 
741 		i=0;
742 loop:
743 		if (!PEM_write_bio_PrivateKey(out,pkey,cipher,
744 			NULL,0,NULL,passout))
745 			{
746 			if ((ERR_GET_REASON(ERR_peek_error()) ==
747 				PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3))
748 				{
749 				ERR_clear_error();
750 				i++;
751 				goto loop;
752 				}
753 			goto end;
754 			}
755 		BIO_printf(bio_err,"-----\n");
756 		}
757 
758 	if (!newreq)
759 		{
760 		/* Since we are using a pre-existing certificate
761 		 * request, the kludge 'format' info should not be
762 		 * changed. */
763 		kludge= -1;
764 		if (infile == NULL)
765 			BIO_set_fp(in,stdin,BIO_NOCLOSE);
766 		else
767 			{
768 			if (BIO_read_filename(in,infile) <= 0)
769 				{
770 				perror(infile);
771 				goto end;
772 				}
773 			}
774 
775 		if	(informat == FORMAT_ASN1)
776 			req=d2i_X509_REQ_bio(in,NULL);
777 		else if (informat == FORMAT_PEM)
778 			req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
779 		else
780 			{
781 			BIO_printf(bio_err,"bad input format specified for X509 request\n");
782 			goto end;
783 			}
784 		if (req == NULL)
785 			{
786 			BIO_printf(bio_err,"unable to load X509 request\n");
787 			goto end;
788 			}
789 		}
790 
791 	if (newreq || x509)
792 		{
793 		if (pkey == NULL)
794 			{
795 			BIO_printf(bio_err,"you need to specify a private key\n");
796 			goto end;
797 			}
798 
799 		if (req == NULL)
800 			{
801 			req=X509_REQ_new();
802 			if (req == NULL)
803 				{
804 				goto end;
805 				}
806 
807 			i=make_REQ(req,pkey,subj,multirdn,!x509, chtype);
808 			subj=NULL; /* done processing '-subj' option */
809 			if ((kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes))
810 				{
811 				sk_X509_ATTRIBUTE_free(req->req_info->attributes);
812 				req->req_info->attributes = NULL;
813 				}
814 			if (!i)
815 				{
816 				BIO_printf(bio_err,"problems making Certificate Request\n");
817 				goto end;
818 				}
819 			}
820 		if (x509)
821 			{
822 			EVP_PKEY *tmppkey;
823 			X509V3_CTX ext_ctx;
824 			if ((x509ss=X509_new()) == NULL) goto end;
825 
826 			/* Set version to V3 */
827 			if(extensions && !X509_set_version(x509ss, 2)) goto end;
828 			if (serial)
829 				{
830 				if (!X509_set_serialNumber(x509ss, serial)) goto end;
831 				}
832 			else
833 				{
834 				if (!rand_serial(NULL,
835 					X509_get_serialNumber(x509ss)))
836 						goto end;
837 				}
838 
839 			if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
840 			if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end;
841 			if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL)) goto end;
842 			if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
843 			tmppkey = X509_REQ_get_pubkey(req);
844 			if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end;
845 			EVP_PKEY_free(tmppkey);
846 
847 			/* Set up V3 context struct */
848 
849 			X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
850 			X509V3_set_nconf(&ext_ctx, req_conf);
851 
852 			/* Add extensions */
853 			if(extensions && !X509V3_EXT_add_nconf(req_conf,
854 				 	&ext_ctx, extensions, x509ss))
855 				{
856 				BIO_printf(bio_err,
857 					"Error Loading extension section %s\n",
858 					extensions);
859 				goto end;
860 				}
861 
862 			if (!(i=X509_sign(x509ss,pkey,digest)))
863 				{
864 				ERR_print_errors(bio_err);
865 				goto end;
866 				}
867 			}
868 		else
869 			{
870 			X509V3_CTX ext_ctx;
871 
872 			/* Set up V3 context struct */
873 
874 			X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
875 			X509V3_set_nconf(&ext_ctx, req_conf);
876 
877 			/* Add extensions */
878 			if(req_exts && !X509V3_EXT_REQ_add_nconf(req_conf,
879 				 	&ext_ctx, req_exts, req))
880 				{
881 				BIO_printf(bio_err,
882 					"Error Loading extension section %s\n",
883 					req_exts);
884 				goto end;
885 				}
886 			if (!(i=X509_REQ_sign(req,pkey,digest)))
887 				{
888 				ERR_print_errors(bio_err);
889 				goto end;
890 				}
891 			}
892 		}
893 
894 	if (subj && x509)
895 		{
896 		BIO_printf(bio_err, "Cannot modifiy certificate subject\n");
897 		goto end;
898 		}
899 
900 	if (subj && !x509)
901 		{
902 		if (verbose)
903 			{
904 			BIO_printf(bio_err, "Modifying Request's Subject\n");
905 			print_name(bio_err, "old subject=", X509_REQ_get_subject_name(req), nmflag);
906 			}
907 
908 		if (build_subject(req, subj, chtype, multirdn) == 0)
909 			{
910 			BIO_printf(bio_err, "ERROR: cannot modify subject\n");
911 			ex=1;
912 			goto end;
913 			}
914 
915 		req->req_info->enc.modified = 1;
916 
917 		if (verbose)
918 			{
919 			print_name(bio_err, "new subject=", X509_REQ_get_subject_name(req), nmflag);
920 			}
921 		}
922 
923 	if (verify && !x509)
924 		{
925 		int tmp=0;
926 
927 		if (pkey == NULL)
928 			{
929 			pkey=X509_REQ_get_pubkey(req);
930 			tmp=1;
931 			if (pkey == NULL) goto end;
932 			}
933 
934 		i=X509_REQ_verify(req,pkey);
935 		if (tmp) {
936 			EVP_PKEY_free(pkey);
937 			pkey=NULL;
938 		}
939 
940 		if (i < 0)
941 			{
942 			goto end;
943 			}
944 		else if (i == 0)
945 			{
946 			BIO_printf(bio_err,"verify failure\n");
947 			ERR_print_errors(bio_err);
948 			}
949 		else /* if (i > 0) */
950 			BIO_printf(bio_err,"verify OK\n");
951 		}
952 
953 	if (noout && !text && !modulus && !subject && !pubkey)
954 		{
955 		ex=0;
956 		goto end;
957 		}
958 
959 	if (outfile == NULL)
960 		{
961 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
962 #ifdef OPENSSL_SYS_VMS
963 		{
964 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
965 		out = BIO_push(tmpbio, out);
966 		}
967 #endif
968 		}
969 	else
970 		{
971 		if ((keyout != NULL) && (strcmp(outfile,keyout) == 0))
972 			i=(int)BIO_append_filename(out,outfile);
973 		else
974 			i=(int)BIO_write_filename(out,outfile);
975 		if (!i)
976 			{
977 			perror(outfile);
978 			goto end;
979 			}
980 		}
981 
982 	if (pubkey)
983 		{
984 		EVP_PKEY *tpubkey;
985 		tpubkey=X509_REQ_get_pubkey(req);
986 		if (tpubkey == NULL)
987 			{
988 			BIO_printf(bio_err,"Error getting public key\n");
989 			ERR_print_errors(bio_err);
990 			goto end;
991 			}
992 		PEM_write_bio_PUBKEY(out, tpubkey);
993 		EVP_PKEY_free(tpubkey);
994 		}
995 
996 	if (text)
997 		{
998 		if (x509)
999 			X509_print_ex(out, x509ss, nmflag, reqflag);
1000 		else
1001 			X509_REQ_print_ex(out, req, nmflag, reqflag);
1002 		}
1003 
1004 	if(subject)
1005 		{
1006 		if(x509)
1007 			print_name(out, "subject=", X509_get_subject_name(x509ss), nmflag);
1008 		else
1009 			print_name(out, "subject=", X509_REQ_get_subject_name(req), nmflag);
1010 		}
1011 
1012 	if (modulus)
1013 		{
1014 		EVP_PKEY *tpubkey;
1015 
1016 		if (x509)
1017 			tpubkey=X509_get_pubkey(x509ss);
1018 		else
1019 			tpubkey=X509_REQ_get_pubkey(req);
1020 		if (tpubkey == NULL)
1021 			{
1022 			fprintf(stdout,"Modulus=unavailable\n");
1023 			goto end;
1024 			}
1025 		fprintf(stdout,"Modulus=");
1026 #ifndef OPENSSL_NO_RSA
1027 		if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)
1028 			BN_print(out,tpubkey->pkey.rsa->n);
1029 		else
1030 #endif
1031 			fprintf(stdout,"Wrong Algorithm type");
1032 		EVP_PKEY_free(tpubkey);
1033 		fprintf(stdout,"\n");
1034 		}
1035 
1036 	if (!noout && !x509)
1037 		{
1038 		if 	(outformat == FORMAT_ASN1)
1039 			i=i2d_X509_REQ_bio(out,req);
1040 		else if (outformat == FORMAT_PEM) {
1041 			if(newhdr) i=PEM_write_bio_X509_REQ_NEW(out,req);
1042 			else i=PEM_write_bio_X509_REQ(out,req);
1043 		} else {
1044 			BIO_printf(bio_err,"bad output format specified for outfile\n");
1045 			goto end;
1046 			}
1047 		if (!i)
1048 			{
1049 			BIO_printf(bio_err,"unable to write X509 request\n");
1050 			goto end;
1051 			}
1052 		}
1053 	if (!noout && x509 && (x509ss != NULL))
1054 		{
1055 		if 	(outformat == FORMAT_ASN1)
1056 			i=i2d_X509_bio(out,x509ss);
1057 		else if (outformat == FORMAT_PEM)
1058 			i=PEM_write_bio_X509(out,x509ss);
1059 		else	{
1060 			BIO_printf(bio_err,"bad output format specified for outfile\n");
1061 			goto end;
1062 			}
1063 		if (!i)
1064 			{
1065 			BIO_printf(bio_err,"unable to write X509 certificate\n");
1066 			goto end;
1067 			}
1068 		}
1069 	ex=0;
1070 end:
1071 #ifndef MONOLITH
1072 	if(to_free)
1073 		OPENSSL_free(to_free);
1074 #endif
1075 	if (ex)
1076 		{
1077 		ERR_print_errors(bio_err);
1078 		}
1079 	if ((req_conf != NULL) && (req_conf != config)) NCONF_free(req_conf);
1080 	BIO_free(in);
1081 	BIO_free_all(out);
1082 	EVP_PKEY_free(pkey);
1083 	if (genctx)
1084 		EVP_PKEY_CTX_free(genctx);
1085 	if (pkeyopts)
1086 		sk_OPENSSL_STRING_free(pkeyopts);
1087 #ifndef OPENSSL_NO_ENGINE
1088 	if (gen_eng)
1089 		ENGINE_free(gen_eng);
1090 #endif
1091 	if (keyalgstr)
1092 		OPENSSL_free(keyalgstr);
1093 	X509_REQ_free(req);
1094 	X509_free(x509ss);
1095 	ASN1_INTEGER_free(serial);
1096 	if(passargin && passin) OPENSSL_free(passin);
1097 	if(passargout && passout) OPENSSL_free(passout);
1098 	OBJ_cleanup();
1099 	apps_shutdown();
1100 	OPENSSL_EXIT(ex);
1101 	}
1102 
make_REQ(X509_REQ * req,EVP_PKEY * pkey,char * subj,int multirdn,int attribs,unsigned long chtype)1103 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
1104 			int attribs, unsigned long chtype)
1105 	{
1106 	int ret=0,i;
1107 	char no_prompt = 0;
1108 	STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
1109 	char *tmp, *dn_sect,*attr_sect;
1110 
1111 	tmp=NCONF_get_string(req_conf,SECTION,PROMPT);
1112 	if (tmp == NULL)
1113 		ERR_clear_error();
1114 	if((tmp != NULL) && !strcmp(tmp, "no")) no_prompt = 1;
1115 
1116 	dn_sect=NCONF_get_string(req_conf,SECTION,DISTINGUISHED_NAME);
1117 	if (dn_sect == NULL)
1118 		{
1119 		BIO_printf(bio_err,"unable to find '%s' in config\n",
1120 			DISTINGUISHED_NAME);
1121 		goto err;
1122 		}
1123 	dn_sk=NCONF_get_section(req_conf,dn_sect);
1124 	if (dn_sk == NULL)
1125 		{
1126 		BIO_printf(bio_err,"unable to get '%s' section\n",dn_sect);
1127 		goto err;
1128 		}
1129 
1130 	attr_sect=NCONF_get_string(req_conf,SECTION,ATTRIBUTES);
1131 	if (attr_sect == NULL)
1132 		{
1133 		ERR_clear_error();
1134 		attr_sk=NULL;
1135 		}
1136 	else
1137 		{
1138 		attr_sk=NCONF_get_section(req_conf,attr_sect);
1139 		if (attr_sk == NULL)
1140 			{
1141 			BIO_printf(bio_err,"unable to get '%s' section\n",attr_sect);
1142 			goto err;
1143 			}
1144 		}
1145 
1146 	/* setup version number */
1147 	if (!X509_REQ_set_version(req,0L)) goto err; /* version 1 */
1148 
1149 	if (no_prompt)
1150 		i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
1151 	else
1152 		{
1153 		if (subj)
1154 			i = build_subject(req, subj, chtype, multirdn);
1155 		else
1156 			i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, chtype);
1157 		}
1158 	if(!i) goto err;
1159 
1160 	if (!X509_REQ_set_pubkey(req,pkey)) goto err;
1161 
1162 	ret=1;
1163 err:
1164 	return(ret);
1165 	}
1166 
1167 /*
1168  * subject is expected to be in the format /type0=value0/type1=value1/type2=...
1169  * where characters may be escaped by \
1170  */
build_subject(X509_REQ * req,char * subject,unsigned long chtype,int multirdn)1171 static int build_subject(X509_REQ *req, char *subject, unsigned long chtype, int multirdn)
1172 	{
1173 	X509_NAME *n;
1174 
1175 	if (!(n = parse_name(subject, chtype, multirdn)))
1176 		return 0;
1177 
1178 	if (!X509_REQ_set_subject_name(req, n))
1179 		{
1180 		X509_NAME_free(n);
1181 		return 0;
1182 		}
1183 	X509_NAME_free(n);
1184 	return 1;
1185 }
1186 
1187 
prompt_info(X509_REQ * req,STACK_OF (CONF_VALUE)* dn_sk,char * dn_sect,STACK_OF (CONF_VALUE)* attr_sk,char * attr_sect,int attribs,unsigned long chtype)1188 static int prompt_info(X509_REQ *req,
1189 		STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect,
1190 		STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs,
1191 		unsigned long chtype)
1192 	{
1193 	int i;
1194 	char *p,*q;
1195 	char buf[100];
1196 	int nid, mval;
1197 	long n_min,n_max;
1198 	char *type, *value;
1199 	const char *def;
1200 	CONF_VALUE *v;
1201 	X509_NAME *subj;
1202 	subj = X509_REQ_get_subject_name(req);
1203 
1204 	if(!batch)
1205 		{
1206 		BIO_printf(bio_err,"You are about to be asked to enter information that will be incorporated\n");
1207 		BIO_printf(bio_err,"into your certificate request.\n");
1208 		BIO_printf(bio_err,"What you are about to enter is what is called a Distinguished Name or a DN.\n");
1209 		BIO_printf(bio_err,"There are quite a few fields but you can leave some blank\n");
1210 		BIO_printf(bio_err,"For some fields there will be a default value,\n");
1211 		BIO_printf(bio_err,"If you enter '.', the field will be left blank.\n");
1212 		BIO_printf(bio_err,"-----\n");
1213 		}
1214 
1215 
1216 	if (sk_CONF_VALUE_num(dn_sk))
1217 		{
1218 		i= -1;
1219 start:		for (;;)
1220 			{
1221 			i++;
1222 			if (sk_CONF_VALUE_num(dn_sk) <= i) break;
1223 
1224 			v=sk_CONF_VALUE_value(dn_sk,i);
1225 			p=q=NULL;
1226 			type=v->name;
1227 			if(!check_end(type,"_min") || !check_end(type,"_max") ||
1228 				!check_end(type,"_default") ||
1229 					 !check_end(type,"_value")) continue;
1230 			/* Skip past any leading X. X: X, etc to allow for
1231 			 * multiple instances
1232 			 */
1233 			for(p = v->name; *p ; p++)
1234 				if ((*p == ':') || (*p == ',') ||
1235 							 (*p == '.')) {
1236 					p++;
1237 					if(*p) type = p;
1238 					break;
1239 				}
1240 			if (*type == '+')
1241 				{
1242 				mval = -1;
1243 				type++;
1244 				}
1245 			else
1246 				mval = 0;
1247 			/* If OBJ not recognised ignore it */
1248 			if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start;
1249 			if (BIO_snprintf(buf,sizeof buf,"%s_default",v->name)
1250 				>= (int)sizeof(buf))
1251 			   {
1252 			   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
1253 			   return 0;
1254 			   }
1255 
1256 			if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
1257 				{
1258 				ERR_clear_error();
1259 				def="";
1260 				}
1261 
1262 			BIO_snprintf(buf,sizeof buf,"%s_value",v->name);
1263 			if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
1264 				{
1265 				ERR_clear_error();
1266 				value=NULL;
1267 				}
1268 
1269 			BIO_snprintf(buf,sizeof buf,"%s_min",v->name);
1270 			if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min))
1271 				{
1272 				ERR_clear_error();
1273 				n_min = -1;
1274 				}
1275 
1276 			BIO_snprintf(buf,sizeof buf,"%s_max",v->name);
1277 			if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max))
1278 				{
1279 				ERR_clear_error();
1280 				n_max = -1;
1281 				}
1282 
1283 			if (!add_DN_object(subj,v->value,def,value,nid,
1284 				n_min,n_max, chtype, mval))
1285 				return 0;
1286 			}
1287 		if (X509_NAME_entry_count(subj) == 0)
1288 			{
1289 			BIO_printf(bio_err,"error, no objects specified in config file\n");
1290 			return 0;
1291 			}
1292 
1293 		if (attribs)
1294 			{
1295 			if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) && (!batch))
1296 				{
1297 				BIO_printf(bio_err,"\nPlease enter the following 'extra' attributes\n");
1298 				BIO_printf(bio_err,"to be sent with your certificate request\n");
1299 				}
1300 
1301 			i= -1;
1302 start2:			for (;;)
1303 				{
1304 				i++;
1305 				if ((attr_sk == NULL) ||
1306 					    (sk_CONF_VALUE_num(attr_sk) <= i))
1307 					break;
1308 
1309 				v=sk_CONF_VALUE_value(attr_sk,i);
1310 				type=v->name;
1311 				if ((nid=OBJ_txt2nid(type)) == NID_undef)
1312 					goto start2;
1313 
1314 				if (BIO_snprintf(buf,sizeof buf,"%s_default",type)
1315 					>= (int)sizeof(buf))
1316 				   {
1317 				   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
1318 				   return 0;
1319 				   }
1320 
1321 				if ((def=NCONF_get_string(req_conf,attr_sect,buf))
1322 					== NULL)
1323 					{
1324 					ERR_clear_error();
1325 					def="";
1326 					}
1327 
1328 
1329 				BIO_snprintf(buf,sizeof buf,"%s_value",type);
1330 				if ((value=NCONF_get_string(req_conf,attr_sect,buf))
1331 					== NULL)
1332 					{
1333 					ERR_clear_error();
1334 					value=NULL;
1335 					}
1336 
1337 				BIO_snprintf(buf,sizeof buf,"%s_min",type);
1338 				if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min))
1339 					{
1340 					ERR_clear_error();
1341 					n_min = -1;
1342 					}
1343 
1344 				BIO_snprintf(buf,sizeof buf,"%s_max",type);
1345 				if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max))
1346 					{
1347 					ERR_clear_error();
1348 					n_max = -1;
1349 					}
1350 
1351 				if (!add_attribute_object(req,
1352 					v->value,def,value,nid,n_min,n_max, chtype))
1353 					return 0;
1354 				}
1355 			}
1356 		}
1357 	else
1358 		{
1359 		BIO_printf(bio_err,"No template, please set one up.\n");
1360 		return 0;
1361 		}
1362 
1363 	return 1;
1364 
1365 	}
1366 
auto_info(X509_REQ * req,STACK_OF (CONF_VALUE)* dn_sk,STACK_OF (CONF_VALUE)* attr_sk,int attribs,unsigned long chtype)1367 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
1368 			STACK_OF(CONF_VALUE) *attr_sk, int attribs, unsigned long chtype)
1369 	{
1370 	int i;
1371 	char *p,*q;
1372 	char *type;
1373 	CONF_VALUE *v;
1374 	X509_NAME *subj;
1375 
1376 	subj = X509_REQ_get_subject_name(req);
1377 
1378 	for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++)
1379 		{
1380 		int mval;
1381 		v=sk_CONF_VALUE_value(dn_sk,i);
1382 		p=q=NULL;
1383 		type=v->name;
1384 		/* Skip past any leading X. X: X, etc to allow for
1385 		 * multiple instances
1386 		 */
1387 		for(p = v->name; *p ; p++)
1388 #ifndef CHARSET_EBCDIC
1389 			if ((*p == ':') || (*p == ',') || (*p == '.')) {
1390 #else
1391 			if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.'])) {
1392 #endif
1393 				p++;
1394 				if(*p) type = p;
1395 				break;
1396 			}
1397 #ifndef CHARSET_EBCDIC
1398 		if (*p == '+')
1399 #else
1400 		if (*p == os_toascii['+'])
1401 #endif
1402 			{
1403 			p++;
1404 			mval = -1;
1405 			}
1406 		else
1407 			mval = 0;
1408 		if (!X509_NAME_add_entry_by_txt(subj,type, chtype,
1409 				(unsigned char *) v->value,-1,-1,mval)) return 0;
1410 
1411 		}
1412 
1413 		if (!X509_NAME_entry_count(subj))
1414 			{
1415 			BIO_printf(bio_err,"error, no objects specified in config file\n");
1416 			return 0;
1417 			}
1418 		if (attribs)
1419 			{
1420 			for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++)
1421 				{
1422 				v=sk_CONF_VALUE_value(attr_sk,i);
1423 				if(!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
1424 					(unsigned char *)v->value, -1)) return 0;
1425 				}
1426 			}
1427 	return 1;
1428 	}
1429 
1430 
1431 static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value,
1432 	     int nid, int n_min, int n_max, unsigned long chtype, int mval)
1433 	{
1434 	int i,ret=0;
1435 	MS_STATIC char buf[1024];
1436 start:
1437 	if (!batch) BIO_printf(bio_err,"%s [%s]:",text,def);
1438 	(void)BIO_flush(bio_err);
1439 	if(value != NULL)
1440 		{
1441 		BUF_strlcpy(buf,value,sizeof buf);
1442 		BUF_strlcat(buf,"\n",sizeof buf);
1443 		BIO_printf(bio_err,"%s\n",value);
1444 		}
1445 	else
1446 		{
1447 		buf[0]='\0';
1448 		if (!batch)
1449 			{
1450 			if (!fgets(buf,sizeof buf,stdin))
1451 				return 0;
1452 			}
1453 		else
1454 			{
1455 			buf[0] = '\n';
1456 			buf[1] = '\0';
1457 			}
1458 		}
1459 
1460 	if (buf[0] == '\0') return(0);
1461 	else if (buf[0] == '\n')
1462 		{
1463 		if ((def == NULL) || (def[0] == '\0'))
1464 			return(1);
1465 		BUF_strlcpy(buf,def,sizeof buf);
1466 		BUF_strlcat(buf,"\n",sizeof buf);
1467 		}
1468 	else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
1469 
1470 	i=strlen(buf);
1471 	if (buf[i-1] != '\n')
1472 		{
1473 		BIO_printf(bio_err,"weird input :-(\n");
1474 		return(0);
1475 		}
1476 	buf[--i]='\0';
1477 #ifdef CHARSET_EBCDIC
1478 	ebcdic2ascii(buf, buf, i);
1479 #endif
1480 	if(!req_check_len(i, n_min, n_max)) goto start;
1481 	if (!X509_NAME_add_entry_by_NID(n,nid, chtype,
1482 				(unsigned char *) buf, -1,-1,mval)) goto err;
1483 	ret=1;
1484 err:
1485 	return(ret);
1486 	}
1487 
1488 static int add_attribute_object(X509_REQ *req, char *text, const char *def,
1489 				char *value, int nid, int n_min,
1490 				int n_max, unsigned long chtype)
1491 	{
1492 	int i;
1493 	static char buf[1024];
1494 
1495 start:
1496 	if (!batch) BIO_printf(bio_err,"%s [%s]:",text,def);
1497 	(void)BIO_flush(bio_err);
1498 	if (value != NULL)
1499 		{
1500 		BUF_strlcpy(buf,value,sizeof buf);
1501 		BUF_strlcat(buf,"\n",sizeof buf);
1502 		BIO_printf(bio_err,"%s\n",value);
1503 		}
1504 	else
1505 		{
1506 		buf[0]='\0';
1507 		if (!batch)
1508 			{
1509 			if (!fgets(buf,sizeof buf,stdin))
1510 				return 0;
1511 			}
1512 		else
1513 			{
1514 			buf[0] = '\n';
1515 			buf[1] = '\0';
1516 			}
1517 		}
1518 
1519 	if (buf[0] == '\0') return(0);
1520 	else if (buf[0] == '\n')
1521 		{
1522 		if ((def == NULL) || (def[0] == '\0'))
1523 			return(1);
1524 		BUF_strlcpy(buf,def,sizeof buf);
1525 		BUF_strlcat(buf,"\n",sizeof buf);
1526 		}
1527 	else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);
1528 
1529 	i=strlen(buf);
1530 	if (buf[i-1] != '\n')
1531 		{
1532 		BIO_printf(bio_err,"weird input :-(\n");
1533 		return(0);
1534 		}
1535 	buf[--i]='\0';
1536 #ifdef CHARSET_EBCDIC
1537 	ebcdic2ascii(buf, buf, i);
1538 #endif
1539 	if(!req_check_len(i, n_min, n_max)) goto start;
1540 
1541 	if(!X509_REQ_add1_attr_by_NID(req, nid, chtype,
1542 					(unsigned char *)buf, -1)) {
1543 		BIO_printf(bio_err, "Error adding attribute\n");
1544 		ERR_print_errors(bio_err);
1545 		goto err;
1546 	}
1547 
1548 	return(1);
1549 err:
1550 	return(0);
1551 	}
1552 
1553 static int req_check_len(int len, int n_min, int n_max)
1554 	{
1555 	if ((n_min > 0) && (len < n_min))
1556 		{
1557 		BIO_printf(bio_err,"string is too short, it needs to be at least %d bytes long\n",n_min);
1558 		return(0);
1559 		}
1560 	if ((n_max >= 0) && (len > n_max))
1561 		{
1562 		BIO_printf(bio_err,"string is too long, it needs to be less than  %d bytes long\n",n_max);
1563 		return(0);
1564 		}
1565 	return(1);
1566 	}
1567 
1568 /* Check if the end of a string matches 'end' */
1569 static int check_end(const char *str, const char *end)
1570 {
1571 	int elen, slen;
1572 	const char *tmp;
1573 	elen = strlen(end);
1574 	slen = strlen(str);
1575 	if(elen > slen) return 1;
1576 	tmp = str + slen - elen;
1577 	return strcmp(tmp, end);
1578 }
1579 
1580 static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type,
1581 					long *pkeylen, char **palgnam,
1582 					ENGINE *keygen_engine)
1583 	{
1584 	EVP_PKEY_CTX *gctx = NULL;
1585 	EVP_PKEY *param = NULL;
1586 	long keylen = -1;
1587 	BIO *pbio = NULL;
1588 	const char *paramfile = NULL;
1589 
1590 	if (gstr == NULL)
1591 		{
1592 		*pkey_type = EVP_PKEY_RSA;
1593 		keylen = *pkeylen;
1594 		}
1595 	else if (gstr[0] >= '0' && gstr[0] <= '9')
1596 		{
1597 		*pkey_type = EVP_PKEY_RSA;
1598 		keylen = atol(gstr);
1599 		*pkeylen = keylen;
1600 		}
1601 	else if (!strncmp(gstr, "param:", 6))
1602 		paramfile = gstr + 6;
1603 	else
1604 		{
1605 		const char *p = strchr(gstr, ':');
1606 		int len;
1607 		ENGINE *tmpeng;
1608 		const EVP_PKEY_ASN1_METHOD *ameth;
1609 
1610 		if (p)
1611 			len = p - gstr;
1612 		else
1613 			len = strlen(gstr);
1614 		/* The lookup of a the string will cover all engines so
1615 		 * keep a note of the implementation.
1616 		 */
1617 
1618 		ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
1619 
1620 		if (!ameth)
1621 			{
1622 			BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr);
1623 			return NULL;
1624 			}
1625 
1626 		EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL,
1627 									ameth);
1628 #ifndef OPENSSL_NO_ENGINE
1629 		if (tmpeng)
1630 			ENGINE_finish(tmpeng);
1631 #endif
1632 		if (*pkey_type == EVP_PKEY_RSA)
1633 			{
1634 			if (p)
1635 				{
1636 				keylen = atol(p + 1);
1637 				*pkeylen = keylen;
1638 				}
1639 			}
1640 		else if (p)
1641 			paramfile = p + 1;
1642 		}
1643 
1644 	if (paramfile)
1645 		{
1646 		pbio = BIO_new_file(paramfile, "r");
1647 		if (!pbio)
1648 			{
1649 			BIO_printf(err, "Can't open parameter file %s\n",
1650 					paramfile);
1651 			return NULL;
1652 			}
1653 		param = PEM_read_bio_Parameters(pbio, NULL);
1654 
1655 		if (!param)
1656 			{
1657 			X509 *x;
1658 			(void)BIO_reset(pbio);
1659 			x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
1660 			if (x)
1661 				{
1662 				param = X509_get_pubkey(x);
1663 				X509_free(x);
1664 				}
1665 			}
1666 
1667 		BIO_free(pbio);
1668 
1669 		if (!param)
1670 			{
1671 			BIO_printf(err, "Error reading parameter file %s\n",
1672 					paramfile);
1673 			return NULL;
1674 			}
1675 		if (*pkey_type == -1)
1676 			*pkey_type = EVP_PKEY_id(param);
1677 		else if (*pkey_type != EVP_PKEY_base_id(param))
1678 			{
1679 			BIO_printf(err, "Key Type does not match parameters\n");
1680 			EVP_PKEY_free(param);
1681 			return NULL;
1682 			}
1683 		}
1684 
1685 	if (palgnam)
1686 		{
1687 		const EVP_PKEY_ASN1_METHOD *ameth;
1688 		ENGINE *tmpeng;
1689 		const char *anam;
1690 		ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
1691 		if (!ameth)
1692 			{
1693 			BIO_puts(err, "Internal error: can't find key algorithm\n");
1694 			return NULL;
1695 			}
1696 		EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
1697 		*palgnam = BUF_strdup(anam);
1698 #ifndef OPENSSL_NO_ENGINE
1699 		if (tmpeng)
1700 			ENGINE_finish(tmpeng);
1701 #endif
1702 		}
1703 
1704 	if (param)
1705 		{
1706 		gctx = EVP_PKEY_CTX_new(param, keygen_engine);
1707 		*pkeylen = EVP_PKEY_bits(param);
1708 		EVP_PKEY_free(param);
1709 		}
1710 	else
1711 		gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
1712 
1713 	if (!gctx)
1714 		{
1715 		BIO_puts(err, "Error allocating keygen context\n");
1716 		ERR_print_errors(err);
1717 		return NULL;
1718 		}
1719 
1720 	if (EVP_PKEY_keygen_init(gctx) <= 0)
1721 		{
1722 		BIO_puts(err, "Error initializing keygen context\n");
1723 		ERR_print_errors(err);
1724 		return NULL;
1725 		}
1726 #ifndef OPENSSL_NO_RSA
1727 	if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1))
1728 		{
1729 		if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0)
1730 			{
1731 			BIO_puts(err, "Error setting RSA keysize\n");
1732 			ERR_print_errors(err);
1733 			EVP_PKEY_CTX_free(gctx);
1734 			return NULL;
1735 			}
1736 		}
1737 #endif
1738 
1739 	return gctx;
1740 	}
1741 
1742 static int genpkey_cb(EVP_PKEY_CTX *ctx)
1743 	{
1744 	char c='*';
1745 	BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
1746 	int p;
1747 	p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
1748 	if (p == 0) c='.';
1749 	if (p == 1) c='+';
1750 	if (p == 2) c='*';
1751 	if (p == 3) c='\n';
1752 	BIO_write(b,&c,1);
1753 	(void)BIO_flush(b);
1754 #ifdef LINT
1755 	p=n;
1756 #endif
1757 	return 1;
1758 	}
1759