1 /* 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <time.h> 13 #include <string.h> 14 #include <ctype.h> 15 #include "apps.h" 16 #include "progs.h" 17 #include <openssl/core_names.h> 18 #include <openssl/bio.h> 19 #include <openssl/evp.h> 20 #include <openssl/conf.h> 21 #include <openssl/err.h> 22 #include <openssl/asn1.h> 23 #include <openssl/x509.h> 24 #include <openssl/x509v3.h> 25 #include <openssl/objects.h> 26 #include <openssl/pem.h> 27 #include <openssl/bn.h> 28 #include <openssl/lhash.h> 29 #include <openssl/rsa.h> 30 #ifndef OPENSSL_NO_DSA 31 # include <openssl/dsa.h> 32 #endif 33 34 #define BITS "default_bits" 35 #define KEYFILE "default_keyfile" 36 #define PROMPT "prompt" 37 #define DISTINGUISHED_NAME "distinguished_name" 38 #define ATTRIBUTES "attributes" 39 #define V3_EXTENSIONS "x509_extensions" 40 #define REQ_EXTENSIONS "req_extensions" 41 #define STRING_MASK "string_mask" 42 #define UTF8_IN "utf8" 43 44 #define DEFAULT_KEY_LENGTH 2048 45 #define MIN_KEY_LENGTH 512 46 #define DEFAULT_DAYS 30 /* default cert validity period in days */ 47 #define UNSET_DAYS -2 /* -1 may be used for testing expiration checks */ 48 #define EXT_COPY_UNSET -1 49 50 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj, 51 int mutlirdn, int attribs, unsigned long chtype); 52 static int prompt_info(X509_REQ *req, 53 STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, 54 STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, 55 int attribs, unsigned long chtype); 56 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk, 57 STACK_OF(CONF_VALUE) *attr, int attribs, 58 unsigned long chtype); 59 static int add_attribute_object(X509_REQ *req, char *text, const char *def, 60 char *value, int nid, int n_min, int n_max, 61 unsigned long chtype); 62 static int add_DN_object(X509_NAME *n, char *text, const char *def, 63 char *value, int nid, int n_min, int n_max, 64 unsigned long chtype, int mval); 65 static int genpkey_cb(EVP_PKEY_CTX *ctx); 66 static int build_data(char *text, const char *def, char *value, 67 int n_min, int n_max, char *buf, const int buf_size, 68 const char *desc1, const char *desc2); 69 static int req_check_len(int len, int n_min, int n_max); 70 static int check_end(const char *str, const char *end); 71 static int join(char buf[], size_t buf_size, const char *name, 72 const char *tail, const char *desc); 73 static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, 74 char **pkeytype, long *pkeylen, 75 ENGINE *keygen_engine); 76 77 static const char *section = "req"; 78 static CONF *req_conf = NULL; 79 static CONF *addext_conf = NULL; 80 static int batch = 0; 81 82 typedef enum OPTION_choice { 83 OPT_COMMON, 84 OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY, 85 OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT, 86 OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY, 87 OPT_PKEYOPT, OPT_SIGOPT, OPT_VFYOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS, 88 OPT_VERIFY, OPT_NOENC, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, 89 OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, 90 OPT_CA, OPT_CAKEY, 91 OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, 92 OPT_COPY_EXTENSIONS, OPT_ADDEXT, OPT_EXTENSIONS, 93 OPT_REQEXTS, OPT_PRECERT, OPT_MD, 94 OPT_SECTION, 95 OPT_R_ENUM, OPT_PROV_ENUM 96 } OPTION_CHOICE; 97 98 const OPTIONS req_options[] = { 99 OPT_SECTION("General"), 100 {"help", OPT_HELP, '-', "Display this summary"}, 101 #ifndef OPENSSL_NO_ENGINE 102 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 103 {"keygen_engine", OPT_KEYGEN_ENGINE, 's', 104 "Specify engine to be used for key generation operations"}, 105 #endif 106 {"in", OPT_IN, '<', "X.509 request input file (default stdin)"}, 107 {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, 108 {"verify", OPT_VERIFY, '-', "Verify self-signature on the request"}, 109 110 OPT_SECTION("Certificate"), 111 {"new", OPT_NEW, '-', "New request"}, 112 {"config", OPT_CONFIG, '<', "Request template file"}, 113 {"section", OPT_SECTION, 's', "Config section to use (default \"req\")"}, 114 {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, 115 {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, 116 {"reqopt", OPT_REQOPT, 's', "Various request text options"}, 117 {"text", OPT_TEXT, '-', "Text form of request"}, 118 {"x509", OPT_X509, '-', 119 "Output an X.509 certificate structure instead of a cert request"}, 120 {"CA", OPT_CA, '<', "Issuer cert to use for signing a cert, implies -x509"}, 121 {"CAkey", OPT_CAKEY, 's', 122 "Issuer private key to use with -CA; default is -CA arg"}, 123 {OPT_MORE_STR, 1, 1, "(Required by some CA's)"}, 124 {"subj", OPT_SUBJ, 's', "Set or modify subject of request or cert"}, 125 {"subject", OPT_SUBJECT, '-', 126 "Print the subject of the output request or cert"}, 127 {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', 128 "Deprecated; multi-valued RDNs support is always on."}, 129 {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, 130 {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, 131 {"copy_extensions", OPT_COPY_EXTENSIONS, 's', 132 "copy extensions from request when using -x509"}, 133 {"addext", OPT_ADDEXT, 's', 134 "Additional cert extension key=value pair (may be given more than once)"}, 135 {"extensions", OPT_EXTENSIONS, 's', 136 "Cert extension section (override value in config file)"}, 137 {"reqexts", OPT_REQEXTS, 's', 138 "Request extension section (override value in config file)"}, 139 {"precert", OPT_PRECERT, '-', 140 "Add a poison extension to the generated cert (implies -new)"}, 141 142 OPT_SECTION("Keys and Signing"), 143 {"key", OPT_KEY, 's', "Key for signing, and to include unless -in given"}, 144 {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"}, 145 {"pubkey", OPT_PUBKEY, '-', "Output public key"}, 146 {"keyout", OPT_KEYOUT, '>', "File to write private key to"}, 147 {"passin", OPT_PASSIN, 's', "Private key and certificate password source"}, 148 {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, 149 {"newkey", OPT_NEWKEY, 's', 150 "Generate new key with [<alg>:]<nbits> or <alg>[:<file>] or param:<file>"}, 151 {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, 152 {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, 153 {"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"}, 154 {"", OPT_MD, '-', "Any supported digest"}, 155 156 OPT_SECTION("Output"), 157 {"out", OPT_OUT, '>', "Output file"}, 158 {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, 159 {"batch", OPT_BATCH, '-', 160 "Do not ask anything during request generation"}, 161 {"verbose", OPT_VERBOSE, '-', "Verbose output"}, 162 {"noenc", OPT_NOENC, '-', "Don't encrypt private keys"}, 163 {"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"}, 164 {"noout", OPT_NOOUT, '-', "Do not output REQ"}, 165 {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"}, 166 {"modulus", OPT_MODULUS, '-', "RSA modulus"}, 167 168 OPT_R_OPTIONS, 169 OPT_PROV_OPTIONS, 170 {NULL} 171 }; 172 173 /* 174 * An LHASH of strings, where each string is an extension name. 175 */ 176 static unsigned long ext_name_hash(const OPENSSL_STRING *a) 177 { 178 return OPENSSL_LH_strhash((const char *)a); 179 } 180 181 static int ext_name_cmp(const OPENSSL_STRING *a, const OPENSSL_STRING *b) 182 { 183 return strcmp((const char *)a, (const char *)b); 184 } 185 186 static void exts_cleanup(OPENSSL_STRING *x) 187 { 188 OPENSSL_free((char *)x); 189 } 190 191 /* 192 * Is the |kv| key already duplicated? This is remarkably tricky to get right. 193 * Return 0 if unique, -1 on runtime error; 1 if found or a syntax error. 194 */ 195 static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) 196 { 197 char *p; 198 size_t off; 199 200 /* Check syntax. */ 201 /* Skip leading whitespace, make a copy. */ 202 while (*kv && isspace(*kv)) 203 if (*++kv == '\0') 204 return 1; 205 if ((p = strchr(kv, '=')) == NULL) 206 return 1; 207 off = p - kv; 208 if ((kv = OPENSSL_strdup(kv)) == NULL) 209 return -1; 210 211 /* Skip trailing space before the equal sign. */ 212 for (p = kv + off; p > kv; --p) 213 if (!isspace(p[-1])) 214 break; 215 if (p == kv) { 216 OPENSSL_free(kv); 217 return 1; 218 } 219 *p = '\0'; 220 221 /* Finally have a clean "key"; see if it's there [by attempt to add it]. */ 222 p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING *)kv); 223 if (p != NULL) { 224 OPENSSL_free(p); 225 return 1; 226 } else if (lh_OPENSSL_STRING_error(addexts)) { 227 OPENSSL_free(kv); 228 return -1; 229 } 230 231 return 0; 232 } 233 234 int req_main(int argc, char **argv) 235 { 236 ASN1_INTEGER *serial = NULL; 237 BIO *out = NULL; 238 ENGINE *e = NULL, *gen_eng = NULL; 239 EVP_PKEY *pkey = NULL, *CAkey = NULL; 240 EVP_PKEY_CTX *genctx = NULL; 241 STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL, *vfyopts = NULL; 242 LHASH_OF(OPENSSL_STRING) *addexts = NULL; 243 X509 *new_x509 = NULL, *CAcert = NULL; 244 X509_REQ *req = NULL; 245 EVP_CIPHER *cipher = NULL; 246 EVP_MD *md = NULL; 247 int ext_copy = EXT_COPY_UNSET; 248 BIO *addext_bio = NULL; 249 char *extensions = NULL; 250 const char *infile = NULL, *CAfile = NULL, *CAkeyfile = NULL; 251 char *outfile = NULL, *keyfile = NULL, *digest = NULL; 252 char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; 253 char *passin = NULL, *passout = NULL; 254 char *nofree_passin = NULL, *nofree_passout = NULL; 255 char *req_exts = NULL, *subj = NULL; 256 X509_NAME *fsubj = NULL; 257 char *template = default_config_file, *keyout = NULL; 258 const char *keyalg = NULL; 259 OPTION_CHOICE o; 260 int days = UNSET_DAYS; 261 int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0; 262 int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyform = FORMAT_UNDEF; 263 int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0; 264 int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; 265 long newkey_len = -1; 266 unsigned long chtype = MBSTRING_ASC, reqflag = 0; 267 268 #ifndef OPENSSL_NO_DES 269 cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); 270 #endif 271 272 prog = opt_init(argc, argv, req_options); 273 while ((o = opt_next()) != OPT_EOF) { 274 switch (o) { 275 case OPT_EOF: 276 case OPT_ERR: 277 opthelp: 278 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 279 goto end; 280 case OPT_HELP: 281 opt_help(req_options); 282 ret = 0; 283 goto end; 284 case OPT_INFORM: 285 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) 286 goto opthelp; 287 break; 288 case OPT_OUTFORM: 289 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) 290 goto opthelp; 291 break; 292 case OPT_ENGINE: 293 e = setup_engine(opt_arg(), 0); 294 break; 295 case OPT_KEYGEN_ENGINE: 296 #ifndef OPENSSL_NO_ENGINE 297 gen_eng = setup_engine(opt_arg(), 0); 298 if (gen_eng == NULL) { 299 BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); 300 goto opthelp; 301 } 302 #endif 303 break; 304 case OPT_KEY: 305 keyfile = opt_arg(); 306 break; 307 case OPT_PUBKEY: 308 pubkey = 1; 309 break; 310 case OPT_NEW: 311 newreq = 1; 312 break; 313 case OPT_CONFIG: 314 template = opt_arg(); 315 break; 316 case OPT_SECTION: 317 section = opt_arg(); 318 break; 319 case OPT_KEYFORM: 320 if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) 321 goto opthelp; 322 break; 323 case OPT_IN: 324 infile = opt_arg(); 325 break; 326 case OPT_OUT: 327 outfile = opt_arg(); 328 break; 329 case OPT_KEYOUT: 330 keyout = opt_arg(); 331 break; 332 case OPT_PASSIN: 333 passargin = opt_arg(); 334 break; 335 case OPT_PASSOUT: 336 passargout = opt_arg(); 337 break; 338 case OPT_R_CASES: 339 if (!opt_rand(o)) 340 goto end; 341 break; 342 case OPT_PROV_CASES: 343 if (!opt_provider(o)) 344 goto end; 345 break; 346 case OPT_NEWKEY: 347 keyalg = opt_arg(); 348 newreq = 1; 349 break; 350 case OPT_PKEYOPT: 351 if (pkeyopts == NULL) 352 pkeyopts = sk_OPENSSL_STRING_new_null(); 353 if (pkeyopts == NULL 354 || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg())) 355 goto opthelp; 356 break; 357 case OPT_SIGOPT: 358 if (!sigopts) 359 sigopts = sk_OPENSSL_STRING_new_null(); 360 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) 361 goto opthelp; 362 break; 363 case OPT_VFYOPT: 364 if (!vfyopts) 365 vfyopts = sk_OPENSSL_STRING_new_null(); 366 if (!vfyopts || !sk_OPENSSL_STRING_push(vfyopts, opt_arg())) 367 goto opthelp; 368 break; 369 case OPT_BATCH: 370 batch = 1; 371 break; 372 case OPT_NEWHDR: 373 newhdr = 1; 374 break; 375 case OPT_MODULUS: 376 modulus = 1; 377 break; 378 case OPT_VERIFY: 379 verify = 1; 380 break; 381 case OPT_NODES: 382 case OPT_NOENC: 383 noenc = 1; 384 break; 385 case OPT_NOOUT: 386 noout = 1; 387 break; 388 case OPT_VERBOSE: 389 verbose = 1; 390 break; 391 case OPT_UTF8: 392 chtype = MBSTRING_UTF8; 393 break; 394 case OPT_NAMEOPT: 395 if (!set_nameopt(opt_arg())) 396 goto opthelp; 397 break; 398 case OPT_REQOPT: 399 if (!set_cert_ex(&reqflag, opt_arg())) 400 goto opthelp; 401 break; 402 case OPT_TEXT: 403 text = 1; 404 break; 405 case OPT_X509: 406 gen_x509 = 1; 407 break; 408 case OPT_CA: 409 CAfile = opt_arg(); 410 gen_x509 = 1; 411 break; 412 case OPT_CAKEY: 413 CAkeyfile = opt_arg(); 414 break; 415 case OPT_DAYS: 416 days = atoi(opt_arg()); 417 if (days < -1) { 418 BIO_printf(bio_err, "%s: -days parameter arg must be >= -1\n", 419 prog); 420 goto end; 421 } 422 break; 423 case OPT_SET_SERIAL: 424 if (serial != NULL) { 425 BIO_printf(bio_err, "Serial number supplied twice\n"); 426 goto opthelp; 427 } 428 serial = s2i_ASN1_INTEGER(NULL, opt_arg()); 429 if (serial == NULL) 430 goto opthelp; 431 break; 432 case OPT_SUBJECT: 433 subject = 1; 434 break; 435 case OPT_SUBJ: 436 subj = opt_arg(); 437 break; 438 case OPT_MULTIVALUE_RDN: 439 /* obsolete */ 440 break; 441 case OPT_COPY_EXTENSIONS: 442 if (!set_ext_copy(&ext_copy, opt_arg())) { 443 BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", 444 opt_arg()); 445 goto end; 446 } 447 break; 448 case OPT_ADDEXT: 449 p = opt_arg(); 450 if (addexts == NULL) { 451 addexts = lh_OPENSSL_STRING_new(ext_name_hash, ext_name_cmp); 452 addext_bio = BIO_new(BIO_s_mem()); 453 if (addexts == NULL || addext_bio == NULL) 454 goto end; 455 } 456 i = duplicated(addexts, p); 457 if (i == 1) { 458 BIO_printf(bio_err, "Duplicate extension: %s\n", p); 459 goto opthelp; 460 } 461 if (i < 0 || BIO_printf(addext_bio, "%s\n", p) < 0) 462 goto end; 463 break; 464 case OPT_EXTENSIONS: 465 extensions = opt_arg(); 466 break; 467 case OPT_REQEXTS: 468 req_exts = opt_arg(); 469 break; 470 case OPT_PRECERT: 471 newreq = precert = 1; 472 break; 473 case OPT_MD: 474 digest = opt_unknown(); 475 break; 476 } 477 } 478 479 /* No extra arguments. */ 480 argc = opt_num_rest(); 481 if (argc != 0) 482 goto opthelp; 483 484 if (!app_RAND_load()) 485 goto end; 486 487 if (!gen_x509) { 488 if (days != UNSET_DAYS) 489 BIO_printf(bio_err, "Ignoring -days without -x509; not generating a certificate\n"); 490 if (ext_copy == EXT_COPY_NONE) 491 BIO_printf(bio_err, "Ignoring -copy_extensions 'none' when -x509 is not given\n"); 492 } 493 if (gen_x509 && infile == NULL) 494 newreq = 1; 495 496 if (!app_passwd(passargin, passargout, &passin, &passout)) { 497 BIO_printf(bio_err, "Error getting passwords\n"); 498 goto end; 499 } 500 501 if ((req_conf = app_load_config_verbose(template, verbose)) == NULL) 502 goto end; 503 if (addext_bio != NULL) { 504 if (verbose) 505 BIO_printf(bio_err, 506 "Using additional configuration from -addext options\n"); 507 if ((addext_conf = app_load_config_bio(addext_bio, NULL)) == NULL) 508 goto end; 509 } 510 if (template != default_config_file && !app_load_modules(req_conf)) 511 goto end; 512 513 if (req_conf != NULL) { 514 p = NCONF_get_string(req_conf, NULL, "oid_file"); 515 if (p == NULL) 516 ERR_clear_error(); 517 if (p != NULL) { 518 BIO *oid_bio = BIO_new_file(p, "r"); 519 520 if (oid_bio == NULL) { 521 if (verbose) 522 BIO_printf(bio_err, 523 "Problems opening '%s' for extra OIDs\n", p); 524 } else { 525 OBJ_create_objects(oid_bio); 526 BIO_free(oid_bio); 527 } 528 } 529 } 530 if (!add_oid_section(req_conf)) 531 goto end; 532 533 /* Check that any specified digest is fetchable */ 534 if (digest != NULL) { 535 if (!opt_md(digest, &md)) { 536 ERR_clear_error(); 537 goto opthelp; 538 } 539 EVP_MD_free(md); 540 } else { 541 /* No digest specified, default to configuration */ 542 p = NCONF_get_string(req_conf, section, "default_md"); 543 if (p == NULL) 544 ERR_clear_error(); 545 else 546 digest = p; 547 } 548 549 if (extensions == NULL) { 550 extensions = NCONF_get_string(req_conf, section, V3_EXTENSIONS); 551 if (extensions == NULL) 552 ERR_clear_error(); 553 } 554 if (extensions != NULL) { 555 /* Check syntax of file */ 556 X509V3_CTX ctx; 557 558 X509V3_set_ctx_test(&ctx); 559 X509V3_set_nconf(&ctx, req_conf); 560 if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) { 561 BIO_printf(bio_err, 562 "Error checking x509 extension section %s\n", 563 extensions); 564 goto end; 565 } 566 } 567 if (addext_conf != NULL) { 568 /* Check syntax of command line extensions */ 569 X509V3_CTX ctx; 570 571 X509V3_set_ctx_test(&ctx); 572 X509V3_set_nconf(&ctx, addext_conf); 573 if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) { 574 BIO_printf(bio_err, "Error checking extensions defined using -addext\n"); 575 goto end; 576 } 577 } 578 579 if (passin == NULL) { 580 passin = nofree_passin = 581 NCONF_get_string(req_conf, section, "input_password"); 582 if (passin == NULL) 583 ERR_clear_error(); 584 } 585 586 if (passout == NULL) { 587 passout = nofree_passout = 588 NCONF_get_string(req_conf, section, "output_password"); 589 if (passout == NULL) 590 ERR_clear_error(); 591 } 592 593 p = NCONF_get_string(req_conf, section, STRING_MASK); 594 if (p == NULL) 595 ERR_clear_error(); 596 597 if (p != NULL && !ASN1_STRING_set_default_mask_asc(p)) { 598 BIO_printf(bio_err, "Invalid global string mask setting %s\n", p); 599 goto end; 600 } 601 602 if (chtype != MBSTRING_UTF8) { 603 p = NCONF_get_string(req_conf, section, UTF8_IN); 604 if (p == NULL) 605 ERR_clear_error(); 606 else if (strcmp(p, "yes") == 0) 607 chtype = MBSTRING_UTF8; 608 } 609 610 if (req_exts == NULL) { 611 req_exts = NCONF_get_string(req_conf, section, REQ_EXTENSIONS); 612 if (req_exts == NULL) 613 ERR_clear_error(); 614 } 615 if (req_exts != NULL) { 616 /* Check syntax of file */ 617 X509V3_CTX ctx; 618 619 X509V3_set_ctx_test(&ctx); 620 X509V3_set_nconf(&ctx, req_conf); 621 if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) { 622 BIO_printf(bio_err, 623 "Error checking request extension section %s\n", 624 req_exts); 625 goto end; 626 } 627 } 628 629 if (keyfile != NULL) { 630 pkey = load_key(keyfile, keyform, 0, passin, e, "private key"); 631 if (pkey == NULL) 632 goto end; 633 app_RAND_load_conf(req_conf, section); 634 } 635 if (newreq && pkey == NULL) { 636 app_RAND_load_conf(req_conf, section); 637 638 if (!NCONF_get_number(req_conf, section, BITS, &newkey_len)) 639 newkey_len = DEFAULT_KEY_LENGTH; 640 641 genctx = set_keygen_ctx(keyalg, &keyalgstr, &newkey_len, gen_eng); 642 if (genctx == NULL) 643 goto end; 644 645 if (newkey_len < MIN_KEY_LENGTH 646 && (EVP_PKEY_CTX_is_a(genctx, "RSA") 647 || EVP_PKEY_CTX_is_a(genctx, "RSA-PSS") 648 || EVP_PKEY_CTX_is_a(genctx, "DSA"))) { 649 BIO_printf(bio_err, "Private key length too short, needs to be at least %d bits, not %ld.\n", 650 MIN_KEY_LENGTH, newkey_len); 651 goto end; 652 } 653 654 if (newkey_len > OPENSSL_RSA_MAX_MODULUS_BITS 655 && (EVP_PKEY_CTX_is_a(genctx, "RSA") 656 || EVP_PKEY_CTX_is_a(genctx, "RSA-PSS"))) 657 BIO_printf(bio_err, 658 "Warning: It is not recommended to use more than %d bit for RSA keys.\n" 659 " Your key size is %ld! Larger key size may behave not as expected.\n", 660 OPENSSL_RSA_MAX_MODULUS_BITS, newkey_len); 661 662 #ifndef OPENSSL_NO_DSA 663 if (EVP_PKEY_CTX_is_a(genctx, "DSA") 664 && newkey_len > OPENSSL_DSA_MAX_MODULUS_BITS) 665 BIO_printf(bio_err, 666 "Warning: It is not recommended to use more than %d bit for DSA keys.\n" 667 " Your key size is %ld! Larger key size may behave not as expected.\n", 668 OPENSSL_DSA_MAX_MODULUS_BITS, newkey_len); 669 #endif 670 671 if (pkeyopts != NULL) { 672 char *genopt; 673 for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) { 674 genopt = sk_OPENSSL_STRING_value(pkeyopts, i); 675 if (pkey_ctrl_string(genctx, genopt) <= 0) { 676 BIO_printf(bio_err, "Key parameter error \"%s\"\n", genopt); 677 goto end; 678 } 679 } 680 } 681 682 EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); 683 EVP_PKEY_CTX_set_app_data(genctx, bio_err); 684 685 pkey = app_keygen(genctx, keyalgstr, newkey_len, verbose); 686 687 EVP_PKEY_CTX_free(genctx); 688 genctx = NULL; 689 } 690 if (keyout == NULL && keyfile == NULL) { 691 keyout = NCONF_get_string(req_conf, section, KEYFILE); 692 if (keyout == NULL) 693 ERR_clear_error(); 694 } 695 696 if (pkey != NULL && (keyfile == NULL || keyout != NULL)) { 697 if (verbose) { 698 BIO_printf(bio_err, "Writing private key to "); 699 if (keyout == NULL) 700 BIO_printf(bio_err, "stdout\n"); 701 else 702 BIO_printf(bio_err, "'%s'\n", keyout); 703 } 704 out = bio_open_owner(keyout, outformat, newreq); 705 if (out == NULL) 706 goto end; 707 708 p = NCONF_get_string(req_conf, section, "encrypt_rsa_key"); 709 if (p == NULL) { 710 ERR_clear_error(); 711 p = NCONF_get_string(req_conf, section, "encrypt_key"); 712 if (p == NULL) 713 ERR_clear_error(); 714 } 715 if ((p != NULL) && (strcmp(p, "no") == 0)) 716 cipher = NULL; 717 if (noenc) 718 cipher = NULL; 719 720 i = 0; 721 loop: 722 if (!PEM_write_bio_PrivateKey(out, pkey, cipher, 723 NULL, 0, NULL, passout)) { 724 if ((ERR_GET_REASON(ERR_peek_error()) == 725 PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) { 726 ERR_clear_error(); 727 i++; 728 goto loop; 729 } 730 goto end; 731 } 732 BIO_free(out); 733 out = NULL; 734 BIO_printf(bio_err, "-----\n"); 735 } 736 737 /* 738 * subj is expected to be in the format /type0=value0/type1=value1/type2=... 739 * where characters may be escaped by \ 740 */ 741 if (subj != NULL 742 && (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL) 743 goto end; 744 745 if (!newreq) { 746 req = load_csr(infile /* if NULL, reads from stdin */, 747 informat, "X509 request"); 748 if (req == NULL) 749 goto end; 750 } 751 752 if (CAkeyfile == NULL) 753 CAkeyfile = CAfile; 754 if (CAkeyfile != NULL) { 755 if (CAfile == NULL) { 756 BIO_printf(bio_err, 757 "Warning: Ignoring -CAkey option since no -CA option is given\n"); 758 } else { 759 if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF, 760 0, passin, e, 761 CAkeyfile != CAfile 762 ? "issuer private key from -CAkey arg" 763 : "issuer private key from -CA arg")) == NULL) 764 goto end; 765 } 766 } 767 if (CAfile != NULL) { 768 if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin, 769 "issuer cert from -CA arg")) == NULL) 770 goto end; 771 if (!X509_check_private_key(CAcert, CAkey)) { 772 BIO_printf(bio_err, 773 "Issuer CA certificate and key do not match\n"); 774 goto end; 775 } 776 } 777 if (newreq || gen_x509) { 778 if (CAcert == NULL && pkey == NULL) { 779 BIO_printf(bio_err, "Must provide a signature key using -key or" 780 " provide -CA / -CAkey\n"); 781 goto end; 782 } 783 784 if (req == NULL) { 785 req = X509_REQ_new_ex(app_get0_libctx(), app_get0_propq()); 786 if (req == NULL) { 787 goto end; 788 } 789 790 if (!make_REQ(req, pkey, fsubj, multirdn, !gen_x509, chtype)){ 791 BIO_printf(bio_err, "Error making certificate request\n"); 792 goto end; 793 } 794 /* Note that -x509 can take over -key and -subj option values. */ 795 } 796 if (gen_x509) { 797 EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req); 798 EVP_PKEY *issuer_key = CAcert != NULL ? CAkey : pkey; 799 X509V3_CTX ext_ctx; 800 X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) : 801 X509_REQ_get_subject_name(req); 802 X509_NAME *n_subj = fsubj != NULL ? fsubj : 803 X509_REQ_get_subject_name(req); 804 805 if ((new_x509 = X509_new_ex(app_get0_libctx(), 806 app_get0_propq())) == NULL) 807 goto end; 808 809 if (serial != NULL) { 810 if (!X509_set_serialNumber(new_x509, serial)) 811 goto end; 812 } else { 813 if (!rand_serial(NULL, X509_get_serialNumber(new_x509))) 814 goto end; 815 } 816 817 if (!X509_set_issuer_name(new_x509, issuer)) 818 goto end; 819 if (days == UNSET_DAYS) { 820 days = DEFAULT_DAYS; 821 } 822 if (!set_cert_times(new_x509, NULL, NULL, days)) 823 goto end; 824 if (!X509_set_subject_name(new_x509, n_subj)) 825 goto end; 826 if (!pub_key || !X509_set_pubkey(new_x509, pub_key)) 827 goto end; 828 if (ext_copy == EXT_COPY_UNSET) { 829 if (infile != NULL) 830 BIO_printf(bio_err, "Warning: No -copy_extensions given; ignoring any extensions in the request\n"); 831 } else if (!copy_extensions(new_x509, req, ext_copy)) { 832 BIO_printf(bio_err, "Error copying extensions from request\n"); 833 goto end; 834 } 835 836 /* Set up V3 context struct */ 837 X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509, 838 new_x509, NULL, NULL, X509V3_CTX_REPLACE); 839 /* prepare fallback for AKID, but only if issuer cert == new_x509 */ 840 if (CAcert == NULL) { 841 if (!X509V3_set_issuer_pkey(&ext_ctx, issuer_key)) 842 goto end; 843 ERR_set_mark(); 844 if (!X509_check_private_key(new_x509, issuer_key)) 845 BIO_printf(bio_err, 846 "Warning: Signature key and public key of cert do not match\n"); 847 ERR_pop_to_mark(); 848 } 849 X509V3_set_nconf(&ext_ctx, req_conf); 850 851 /* Add extensions */ 852 if (extensions != NULL 853 && !X509V3_EXT_add_nconf(req_conf, &ext_ctx, extensions, 854 new_x509)) { 855 BIO_printf(bio_err, "Error adding x509 extensions from section %s\n", 856 extensions); 857 goto end; 858 } 859 if (addext_conf != NULL 860 && !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default", 861 new_x509)) { 862 BIO_printf(bio_err, "Error adding extensions defined via -addext\n"); 863 goto end; 864 } 865 866 /* If a pre-cert was requested, we need to add a poison extension */ 867 if (precert) { 868 if (X509_add1_ext_i2d(new_x509, NID_ct_precert_poison, 869 NULL, 1, 0) != 1) { 870 BIO_printf(bio_err, "Error adding poison extension\n"); 871 goto end; 872 } 873 } 874 875 i = do_X509_sign(new_x509, issuer_key, digest, sigopts, &ext_ctx); 876 if (!i) 877 goto end; 878 } else { 879 X509V3_CTX ext_ctx; 880 881 /* Set up V3 context struct */ 882 X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); 883 X509V3_set_nconf(&ext_ctx, req_conf); 884 885 /* Add extensions */ 886 if (req_exts != NULL 887 && !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx, 888 req_exts, req)) { 889 BIO_printf(bio_err, "Error adding request extensions from section %s\n", 890 req_exts); 891 goto end; 892 } 893 if (addext_conf != NULL 894 && !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default", 895 req)) { 896 BIO_printf(bio_err, "Error adding extensions defined via -addext\n"); 897 goto end; 898 } 899 i = do_X509_REQ_sign(req, pkey, digest, sigopts); 900 if (!i) 901 goto end; 902 } 903 } 904 905 if (subj != NULL && !newreq && !gen_x509) { 906 if (verbose) { 907 BIO_printf(out, "Modifying subject of certificate request\n"); 908 print_name(out, "Old subject=", X509_REQ_get_subject_name(req)); 909 } 910 911 if (!X509_REQ_set_subject_name(req, fsubj)) { 912 BIO_printf(bio_err, "Error modifying subject of certificate request\n"); 913 goto end; 914 } 915 916 if (verbose) { 917 print_name(out, "New subject=", X509_REQ_get_subject_name(req)); 918 } 919 } 920 921 if (verify) { 922 EVP_PKEY *tpubkey = pkey; 923 924 if (tpubkey == NULL) { 925 tpubkey = X509_REQ_get0_pubkey(req); 926 if (tpubkey == NULL) 927 goto end; 928 } 929 930 i = do_X509_REQ_verify(req, tpubkey, vfyopts); 931 932 if (i < 0) 933 goto end; 934 if (i == 0) 935 BIO_printf(bio_err, "Certificate request self-signature verify failure\n"); 936 else /* i > 0 */ 937 BIO_printf(bio_err, "Certificate request self-signature verify OK\n"); 938 } 939 940 if (noout && !text && !modulus && !subject && !pubkey) { 941 ret = 0; 942 goto end; 943 } 944 945 out = bio_open_default(outfile, 946 keyout != NULL && outfile != NULL && 947 strcmp(keyout, outfile) == 0 ? 'a' : 'w', 948 outformat); 949 if (out == NULL) 950 goto end; 951 952 if (pubkey) { 953 EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req); 954 955 if (tpubkey == NULL) { 956 BIO_printf(bio_err, "Error getting public key\n"); 957 goto end; 958 } 959 PEM_write_bio_PUBKEY(out, tpubkey); 960 } 961 962 if (text) { 963 if (gen_x509) 964 ret = X509_print_ex(out, new_x509, get_nameopt(), reqflag); 965 else 966 ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag); 967 968 if (ret == 0) { 969 if (gen_x509) 970 BIO_printf(bio_err, "Error printing certificate\n"); 971 else 972 BIO_printf(bio_err, "Error printing certificate request\n"); 973 goto end; 974 } 975 } 976 977 if (subject) { 978 print_name(out, "subject=", gen_x509 979 ? X509_get_subject_name(new_x509) 980 : X509_REQ_get_subject_name(req)); 981 } 982 983 if (modulus) { 984 EVP_PKEY *tpubkey; 985 986 if (gen_x509) 987 tpubkey = X509_get0_pubkey(new_x509); 988 else 989 tpubkey = X509_REQ_get0_pubkey(req); 990 if (tpubkey == NULL) { 991 fprintf(stdout, "Modulus is unavailable\n"); 992 goto end; 993 } 994 fprintf(stdout, "Modulus="); 995 if (EVP_PKEY_is_a(tpubkey, "RSA") || EVP_PKEY_is_a(tpubkey, "RSA-PSS")) { 996 BIGNUM *n = NULL; 997 998 if (!EVP_PKEY_get_bn_param(tpubkey, "n", &n)) 999 goto end; 1000 BN_print(out, n); 1001 BN_free(n); 1002 } else { 1003 fprintf(stdout, "Wrong Algorithm type"); 1004 } 1005 fprintf(stdout, "\n"); 1006 } 1007 1008 if (!noout && !gen_x509) { 1009 if (outformat == FORMAT_ASN1) 1010 i = i2d_X509_REQ_bio(out, req); 1011 else if (newhdr) 1012 i = PEM_write_bio_X509_REQ_NEW(out, req); 1013 else 1014 i = PEM_write_bio_X509_REQ(out, req); 1015 if (!i) { 1016 BIO_printf(bio_err, "Unable to write certificate request\n"); 1017 goto end; 1018 } 1019 } 1020 if (!noout && gen_x509 && new_x509 != NULL) { 1021 if (outformat == FORMAT_ASN1) 1022 i = i2d_X509_bio(out, new_x509); 1023 else 1024 i = PEM_write_bio_X509(out, new_x509); 1025 if (!i) { 1026 BIO_printf(bio_err, "Unable to write X509 certificate\n"); 1027 goto end; 1028 } 1029 } 1030 ret = 0; 1031 end: 1032 if (ret) { 1033 ERR_print_errors(bio_err); 1034 } 1035 NCONF_free(req_conf); 1036 NCONF_free(addext_conf); 1037 BIO_free(addext_bio); 1038 BIO_free_all(out); 1039 EVP_PKEY_free(pkey); 1040 EVP_PKEY_CTX_free(genctx); 1041 sk_OPENSSL_STRING_free(pkeyopts); 1042 sk_OPENSSL_STRING_free(sigopts); 1043 sk_OPENSSL_STRING_free(vfyopts); 1044 lh_OPENSSL_STRING_doall(addexts, exts_cleanup); 1045 lh_OPENSSL_STRING_free(addexts); 1046 #ifndef OPENSSL_NO_ENGINE 1047 release_engine(gen_eng); 1048 #endif 1049 OPENSSL_free(keyalgstr); 1050 X509_REQ_free(req); 1051 X509_NAME_free(fsubj); 1052 X509_free(new_x509); 1053 X509_free(CAcert); 1054 EVP_PKEY_free(CAkey); 1055 ASN1_INTEGER_free(serial); 1056 release_engine(e); 1057 if (passin != nofree_passin) 1058 OPENSSL_free(passin); 1059 if (passout != nofree_passout) 1060 OPENSSL_free(passout); 1061 return ret; 1062 } 1063 1064 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj, 1065 int multirdn, int attribs, unsigned long chtype) 1066 { 1067 int ret = 0, i; 1068 char no_prompt = 0; 1069 STACK_OF(CONF_VALUE) *dn_sk = NULL, *attr_sk = NULL; 1070 char *tmp, *dn_sect, *attr_sect; 1071 1072 tmp = NCONF_get_string(req_conf, section, PROMPT); 1073 if (tmp == NULL) 1074 ERR_clear_error(); 1075 if ((tmp != NULL) && strcmp(tmp, "no") == 0) 1076 no_prompt = 1; 1077 1078 dn_sect = NCONF_get_string(req_conf, section, DISTINGUISHED_NAME); 1079 if (dn_sect == NULL) { 1080 ERR_clear_error(); 1081 } else { 1082 dn_sk = NCONF_get_section(req_conf, dn_sect); 1083 if (dn_sk == NULL) { 1084 BIO_printf(bio_err, "Unable to get '%s' section\n", dn_sect); 1085 goto err; 1086 } 1087 } 1088 1089 attr_sect = NCONF_get_string(req_conf, section, ATTRIBUTES); 1090 if (attr_sect == NULL) { 1091 ERR_clear_error(); 1092 } else { 1093 attr_sk = NCONF_get_section(req_conf, attr_sect); 1094 if (attr_sk == NULL) { 1095 BIO_printf(bio_err, "Unable to get '%s' section\n", attr_sect); 1096 goto err; 1097 } 1098 } 1099 1100 /* so far there is only version 1 */ 1101 if (!X509_REQ_set_version(req, X509_REQ_VERSION_1)) 1102 goto err; 1103 1104 if (fsubj != NULL) 1105 i = X509_REQ_set_subject_name(req, fsubj); 1106 else if (no_prompt) 1107 i = auto_info(req, dn_sk, attr_sk, attribs, chtype); 1108 else 1109 i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, 1110 chtype); 1111 if (!i) 1112 goto err; 1113 1114 if (!X509_REQ_set_pubkey(req, pkey)) 1115 goto err; 1116 1117 ret = 1; 1118 err: 1119 return ret; 1120 } 1121 1122 static int prompt_info(X509_REQ *req, 1123 STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, 1124 STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, 1125 int attribs, unsigned long chtype) 1126 { 1127 int i; 1128 char *p, *q; 1129 char buf[100]; 1130 int nid, mval; 1131 long n_min, n_max; 1132 char *type, *value; 1133 const char *def; 1134 CONF_VALUE *v; 1135 X509_NAME *subj = X509_REQ_get_subject_name(req); 1136 1137 if (!batch) { 1138 BIO_printf(bio_err, 1139 "You are about to be asked to enter information that will be incorporated\n"); 1140 BIO_printf(bio_err, "into your certificate request.\n"); 1141 BIO_printf(bio_err, 1142 "What you are about to enter is what is called a Distinguished Name or a DN.\n"); 1143 BIO_printf(bio_err, 1144 "There are quite a few fields but you can leave some blank\n"); 1145 BIO_printf(bio_err, 1146 "For some fields there will be a default value,\n"); 1147 BIO_printf(bio_err, 1148 "If you enter '.', the field will be left blank.\n"); 1149 BIO_printf(bio_err, "-----\n"); 1150 } 1151 1152 if (sk_CONF_VALUE_num(dn_sk)) { 1153 i = -1; 1154 start: 1155 for (;;) { 1156 i++; 1157 if (sk_CONF_VALUE_num(dn_sk) <= i) 1158 break; 1159 1160 v = sk_CONF_VALUE_value(dn_sk, i); 1161 p = q = NULL; 1162 type = v->name; 1163 if (!check_end(type, "_min") || !check_end(type, "_max") || 1164 !check_end(type, "_default") || !check_end(type, "_value")) 1165 continue; 1166 /* 1167 * Skip past any leading X. X: X, etc to allow for multiple 1168 * instances 1169 */ 1170 for (p = v->name; *p; p++) 1171 if ((*p == ':') || (*p == ',') || (*p == '.')) { 1172 p++; 1173 if (*p) 1174 type = p; 1175 break; 1176 } 1177 if (*type == '+') { 1178 mval = -1; 1179 type++; 1180 } else { 1181 mval = 0; 1182 } 1183 /* If OBJ not recognised ignore it */ 1184 if ((nid = OBJ_txt2nid(type)) == NID_undef) 1185 goto start; 1186 if (!join(buf, sizeof(buf), v->name, "_default", "Name")) 1187 return 0; 1188 if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { 1189 ERR_clear_error(); 1190 def = ""; 1191 } 1192 1193 if (!join(buf, sizeof(buf), v->name, "_value", "Name")) 1194 return 0; 1195 if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { 1196 ERR_clear_error(); 1197 value = NULL; 1198 } 1199 1200 if (!join(buf, sizeof(buf), v->name, "_min", "Name")) 1201 return 0; 1202 if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) { 1203 ERR_clear_error(); 1204 n_min = -1; 1205 } 1206 1207 if (!join(buf, sizeof(buf), v->name, "_max", "Name")) 1208 return 0; 1209 if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) { 1210 ERR_clear_error(); 1211 n_max = -1; 1212 } 1213 1214 if (!add_DN_object(subj, v->value, def, value, nid, 1215 n_min, n_max, chtype, mval)) 1216 return 0; 1217 } 1218 if (X509_NAME_entry_count(subj) == 0) { 1219 BIO_printf(bio_err, "Error: No objects specified in config file\n"); 1220 return 0; 1221 } 1222 1223 if (attribs) { 1224 if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) 1225 && (!batch)) { 1226 BIO_printf(bio_err, 1227 "\nPlease enter the following 'extra' attributes\n"); 1228 BIO_printf(bio_err, 1229 "to be sent with your certificate request\n"); 1230 } 1231 1232 i = -1; 1233 start2: 1234 for (;;) { 1235 i++; 1236 if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i)) 1237 break; 1238 1239 v = sk_CONF_VALUE_value(attr_sk, i); 1240 type = v->name; 1241 if ((nid = OBJ_txt2nid(type)) == NID_undef) 1242 goto start2; 1243 1244 if (!join(buf, sizeof(buf), type, "_default", "Name")) 1245 return 0; 1246 if ((def = NCONF_get_string(req_conf, attr_sect, buf)) 1247 == NULL) { 1248 ERR_clear_error(); 1249 def = ""; 1250 } 1251 1252 if (!join(buf, sizeof(buf), type, "_value", "Name")) 1253 return 0; 1254 if ((value = NCONF_get_string(req_conf, attr_sect, buf)) 1255 == NULL) { 1256 ERR_clear_error(); 1257 value = NULL; 1258 } 1259 1260 if (!join(buf, sizeof(buf), type, "_min", "Name")) 1261 return 0; 1262 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) { 1263 ERR_clear_error(); 1264 n_min = -1; 1265 } 1266 1267 if (!join(buf, sizeof(buf), type, "_max", "Name")) 1268 return 0; 1269 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) { 1270 ERR_clear_error(); 1271 n_max = -1; 1272 } 1273 1274 if (!add_attribute_object(req, 1275 v->value, def, value, nid, n_min, 1276 n_max, chtype)) 1277 return 0; 1278 } 1279 } 1280 } else { 1281 BIO_printf(bio_err, "No template, please set one up.\n"); 1282 return 0; 1283 } 1284 1285 return 1; 1286 1287 } 1288 1289 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, 1290 STACK_OF(CONF_VALUE) *attr_sk, int attribs, 1291 unsigned long chtype) 1292 { 1293 int i, spec_char, plus_char; 1294 char *p, *q; 1295 char *type; 1296 CONF_VALUE *v; 1297 X509_NAME *subj; 1298 1299 subj = X509_REQ_get_subject_name(req); 1300 1301 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) { 1302 int mval; 1303 v = sk_CONF_VALUE_value(dn_sk, i); 1304 p = q = NULL; 1305 type = v->name; 1306 /* 1307 * Skip past any leading X. X: X, etc to allow for multiple instances 1308 */ 1309 for (p = v->name; *p; p++) { 1310 #ifndef CHARSET_EBCDIC 1311 spec_char = (*p == ':' || *p == ',' || *p == '.'); 1312 #else 1313 spec_char = (*p == os_toascii[':'] || *p == os_toascii[','] 1314 || *p == os_toascii['.']); 1315 #endif 1316 if (spec_char) { 1317 p++; 1318 if (*p) 1319 type = p; 1320 break; 1321 } 1322 } 1323 #ifndef CHARSET_EBCDIC 1324 plus_char = (*type == '+'); 1325 #else 1326 plus_char = (*type == os_toascii['+']); 1327 #endif 1328 if (plus_char) { 1329 type++; 1330 mval = -1; 1331 } else { 1332 mval = 0; 1333 } 1334 if (!X509_NAME_add_entry_by_txt(subj, type, chtype, 1335 (unsigned char *)v->value, -1, -1, 1336 mval)) 1337 return 0; 1338 1339 } 1340 1341 if (!X509_NAME_entry_count(subj)) { 1342 BIO_printf(bio_err, "Error: No objects specified in config file\n"); 1343 return 0; 1344 } 1345 if (attribs) { 1346 for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) { 1347 v = sk_CONF_VALUE_value(attr_sk, i); 1348 if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype, 1349 (unsigned char *)v->value, -1)) 1350 return 0; 1351 } 1352 } 1353 return 1; 1354 } 1355 1356 static int add_DN_object(X509_NAME *n, char *text, const char *def, 1357 char *value, int nid, int n_min, int n_max, 1358 unsigned long chtype, int mval) 1359 { 1360 int ret = 0; 1361 char buf[1024]; 1362 1363 ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf), 1364 "DN value", "DN default"); 1365 if ((ret == 0) || (ret == 1)) 1366 return ret; 1367 ret = 1; 1368 1369 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, 1370 (unsigned char *)buf, -1, -1, mval)) 1371 ret = 0; 1372 1373 return ret; 1374 } 1375 1376 static int add_attribute_object(X509_REQ *req, char *text, const char *def, 1377 char *value, int nid, int n_min, 1378 int n_max, unsigned long chtype) 1379 { 1380 int ret = 0; 1381 char buf[1024]; 1382 1383 ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf), 1384 "Attribute value", "Attribute default"); 1385 if ((ret == 0) || (ret == 1)) 1386 return ret; 1387 ret = 1; 1388 1389 if (!X509_REQ_add1_attr_by_NID(req, nid, chtype, 1390 (unsigned char *)buf, -1)) { 1391 BIO_printf(bio_err, "Error adding attribute\n"); 1392 ret = 0; 1393 } 1394 1395 return ret; 1396 } 1397 1398 static int build_data(char *text, const char *def, char *value, 1399 int n_min, int n_max, char *buf, const int buf_size, 1400 const char *desc1, const char *desc2) 1401 { 1402 int i; 1403 start: 1404 if (!batch) 1405 BIO_printf(bio_err, "%s [%s]:", text, def); 1406 (void)BIO_flush(bio_err); 1407 if (value != NULL) { 1408 if (!join(buf, buf_size, value, "\n", desc1)) 1409 return 0; 1410 BIO_printf(bio_err, "%s\n", value); 1411 } else { 1412 buf[0] = '\0'; 1413 if (!batch) { 1414 if (!fgets(buf, buf_size, stdin)) 1415 return 0; 1416 } else { 1417 buf[0] = '\n'; 1418 buf[1] = '\0'; 1419 } 1420 } 1421 1422 if (buf[0] == '\0') 1423 return 0; 1424 if (buf[0] == '\n') { 1425 if ((def == NULL) || (def[0] == '\0')) 1426 return 1; 1427 if (!join(buf, buf_size, def, "\n", desc2)) 1428 return 0; 1429 } else if ((buf[0] == '.') && (buf[1] == '\n')) { 1430 return 1; 1431 } 1432 1433 i = strlen(buf); 1434 if (buf[i - 1] != '\n') { 1435 BIO_printf(bio_err, "Missing newline at end of input\n"); 1436 return 0; 1437 } 1438 buf[--i] = '\0'; 1439 #ifdef CHARSET_EBCDIC 1440 ebcdic2ascii(buf, buf, i); 1441 #endif 1442 if (!req_check_len(i, n_min, n_max)) { 1443 if (batch || value) 1444 return 0; 1445 goto start; 1446 } 1447 return 2; 1448 } 1449 1450 static int req_check_len(int len, int n_min, int n_max) 1451 { 1452 if (n_min > 0 && len < n_min) { 1453 BIO_printf(bio_err, 1454 "String too short, must be at least %d bytes long\n", n_min); 1455 return 0; 1456 } 1457 if (n_max >= 0 && len > n_max) { 1458 BIO_printf(bio_err, 1459 "String too long, must be at most %d bytes long\n", n_max); 1460 return 0; 1461 } 1462 return 1; 1463 } 1464 1465 /* Check if the end of a string matches 'end' */ 1466 static int check_end(const char *str, const char *end) 1467 { 1468 size_t elen, slen; 1469 const char *tmp; 1470 1471 elen = strlen(end); 1472 slen = strlen(str); 1473 if (elen > slen) 1474 return 1; 1475 tmp = str + slen - elen; 1476 return strcmp(tmp, end); 1477 } 1478 1479 /* 1480 * Merge the two strings together into the result buffer checking for 1481 * overflow and producing an error message if there is. 1482 */ 1483 static int join(char buf[], size_t buf_size, const char *name, 1484 const char *tail, const char *desc) 1485 { 1486 const size_t name_len = strlen(name), tail_len = strlen(tail); 1487 1488 if (name_len + tail_len + 1 > buf_size) { 1489 BIO_printf(bio_err, "%s '%s' too long\n", desc, name); 1490 return 0; 1491 } 1492 memcpy(buf, name, name_len); 1493 memcpy(buf + name_len, tail, tail_len + 1); 1494 return 1; 1495 } 1496 1497 static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, 1498 char **pkeytype, long *pkeylen, 1499 ENGINE *keygen_engine) 1500 { 1501 EVP_PKEY_CTX *gctx = NULL; 1502 EVP_PKEY *param = NULL; 1503 long keylen = -1; 1504 BIO *pbio = NULL; 1505 const char *keytype = NULL; 1506 size_t keytypelen = 0; 1507 int expect_paramfile = 0; 1508 const char *paramfile = NULL; 1509 1510 /* Treat the first part of gstr, and only that */ 1511 if (gstr == NULL) { 1512 /* 1513 * Special case: when no string given, default to RSA and the 1514 * key length given by |*pkeylen|. 1515 */ 1516 keytype = "RSA"; 1517 keylen = *pkeylen; 1518 } else if (gstr[0] >= '0' && gstr[0] <= '9') { 1519 /* Special case: only keylength given from string, so default to RSA */ 1520 keytype = "RSA"; 1521 /* The second part treatment will do the rest */ 1522 } else { 1523 const char *p = strchr(gstr, ':'); 1524 int len; 1525 1526 if (p != NULL) 1527 len = p - gstr; 1528 else 1529 len = strlen(gstr); 1530 1531 if (strncmp(gstr, "param", len) == 0) { 1532 expect_paramfile = 1; 1533 if (p == NULL) { 1534 BIO_printf(bio_err, 1535 "Parameter file requested but no path given: %s\n", 1536 gstr); 1537 return NULL; 1538 } 1539 } else { 1540 keytype = gstr; 1541 keytypelen = len; 1542 } 1543 1544 if (p != NULL) 1545 gstr = gstr + len + 1; 1546 else 1547 gstr = NULL; 1548 } 1549 1550 /* Treat the second part of gstr, if there is one */ 1551 if (gstr != NULL) { 1552 /* If the second part starts with a digit, we assume it's a size */ 1553 if (!expect_paramfile && gstr[0] >= '0' && gstr[0] <= '9') 1554 keylen = atol(gstr); 1555 else 1556 paramfile = gstr; 1557 } 1558 1559 if (paramfile != NULL) { 1560 pbio = BIO_new_file(paramfile, "r"); 1561 if (pbio == NULL) { 1562 BIO_printf(bio_err, "Cannot open parameter file %s\n", paramfile); 1563 return NULL; 1564 } 1565 param = PEM_read_bio_Parameters(pbio, NULL); 1566 1567 if (param == NULL) { 1568 X509 *x; 1569 1570 (void)BIO_reset(pbio); 1571 x = PEM_read_bio_X509(pbio, NULL, NULL, NULL); 1572 if (x != NULL) { 1573 param = X509_get_pubkey(x); 1574 X509_free(x); 1575 } 1576 } 1577 1578 BIO_free(pbio); 1579 1580 if (param == NULL) { 1581 BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile); 1582 return NULL; 1583 } 1584 if (keytype == NULL) { 1585 keytype = EVP_PKEY_get0_type_name(param); 1586 if (keytype == NULL) { 1587 EVP_PKEY_free(param); 1588 BIO_puts(bio_err, "Unable to determine key type\n"); 1589 return NULL; 1590 } 1591 } 1592 } 1593 1594 if (keytypelen > 0) 1595 *pkeytype = OPENSSL_strndup(keytype, keytypelen); 1596 else 1597 *pkeytype = OPENSSL_strdup(keytype); 1598 1599 if (*pkeytype == NULL) { 1600 BIO_printf(bio_err, "Out of memory\n"); 1601 EVP_PKEY_free(param); 1602 return NULL; 1603 } 1604 1605 if (keylen >= 0) 1606 *pkeylen = keylen; 1607 1608 if (param != NULL) { 1609 if (!EVP_PKEY_is_a(param, *pkeytype)) { 1610 BIO_printf(bio_err, "Key type does not match parameters\n"); 1611 EVP_PKEY_free(param); 1612 return NULL; 1613 } 1614 1615 if (keygen_engine != NULL) 1616 gctx = EVP_PKEY_CTX_new(param, keygen_engine); 1617 else 1618 gctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), 1619 param, app_get0_propq()); 1620 *pkeylen = EVP_PKEY_get_bits(param); 1621 EVP_PKEY_free(param); 1622 } else { 1623 if (keygen_engine != NULL) { 1624 int pkey_id = get_legacy_pkey_id(app_get0_libctx(), *pkeytype, 1625 keygen_engine); 1626 1627 if (pkey_id != NID_undef) 1628 gctx = EVP_PKEY_CTX_new_id(pkey_id, keygen_engine); 1629 } else { 1630 gctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), 1631 *pkeytype, app_get0_propq()); 1632 } 1633 } 1634 1635 if (gctx == NULL) { 1636 BIO_puts(bio_err, "Error allocating keygen context\n"); 1637 return NULL; 1638 } 1639 1640 if (EVP_PKEY_keygen_init(gctx) <= 0) { 1641 BIO_puts(bio_err, "Error initializing keygen context\n"); 1642 EVP_PKEY_CTX_free(gctx); 1643 return NULL; 1644 } 1645 if (keylen == -1 && (EVP_PKEY_CTX_is_a(gctx, "RSA") 1646 || EVP_PKEY_CTX_is_a(gctx, "RSA-PSS"))) 1647 keylen = *pkeylen; 1648 1649 if (keylen != -1) { 1650 OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END }; 1651 size_t bits = keylen; 1652 1653 params[0] = 1654 OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_BITS, &bits); 1655 if (EVP_PKEY_CTX_set_params(gctx, params) <= 0) { 1656 BIO_puts(bio_err, "Error setting keysize\n"); 1657 EVP_PKEY_CTX_free(gctx); 1658 return NULL; 1659 } 1660 } 1661 1662 return gctx; 1663 } 1664 1665 static int genpkey_cb(EVP_PKEY_CTX *ctx) 1666 { 1667 char c = '*'; 1668 BIO *b = EVP_PKEY_CTX_get_app_data(ctx); 1669 int p; 1670 p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); 1671 if (p == 0) 1672 c = '.'; 1673 if (p == 1) 1674 c = '+'; 1675 if (p == 2) 1676 c = '*'; 1677 if (p == 3) 1678 c = '\n'; 1679 BIO_write(b, &c, 1); 1680 (void)BIO_flush(b); 1681 return 1; 1682 } 1683