1 /* 2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <time.h> 13 #include <string.h> 14 #include <ctype.h> 15 #include "apps.h" 16 #include "progs.h" 17 #include <openssl/bio.h> 18 #include <openssl/evp.h> 19 #include <openssl/conf.h> 20 #include <openssl/err.h> 21 #include <openssl/asn1.h> 22 #include <openssl/x509.h> 23 #include <openssl/x509v3.h> 24 #include <openssl/objects.h> 25 #include <openssl/pem.h> 26 #include <openssl/bn.h> 27 #include <openssl/lhash.h> 28 #ifndef OPENSSL_NO_RSA 29 # include <openssl/rsa.h> 30 #endif 31 #ifndef OPENSSL_NO_DSA 32 # include <openssl/dsa.h> 33 #endif 34 35 #define SECTION "req" 36 37 #define BITS "default_bits" 38 #define KEYFILE "default_keyfile" 39 #define PROMPT "prompt" 40 #define DISTINGUISHED_NAME "distinguished_name" 41 #define ATTRIBUTES "attributes" 42 #define V3_EXTENSIONS "x509_extensions" 43 #define REQ_EXTENSIONS "req_extensions" 44 #define STRING_MASK "string_mask" 45 #define UTF8_IN "utf8" 46 47 #define DEFAULT_KEY_LENGTH 2048 48 #define MIN_KEY_LENGTH 512 49 50 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn, 51 int attribs, unsigned long chtype); 52 static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype, 53 int multirdn); 54 static int prompt_info(X509_REQ *req, 55 STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, 56 STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, 57 int attribs, unsigned long chtype); 58 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk, 59 STACK_OF(CONF_VALUE) *attr, int attribs, 60 unsigned long chtype); 61 static int add_attribute_object(X509_REQ *req, char *text, const char *def, 62 char *value, int nid, int n_min, int n_max, 63 unsigned long chtype); 64 static int add_DN_object(X509_NAME *n, char *text, const char *def, 65 char *value, int nid, int n_min, int n_max, 66 unsigned long chtype, int mval); 67 static int genpkey_cb(EVP_PKEY_CTX *ctx); 68 static int build_data(char *text, const char *def, 69 char *value, int n_min, int n_max, 70 char *buf, const int buf_size, 71 const char *desc1, const char *desc2 72 ); 73 static int req_check_len(int len, int n_min, int n_max); 74 static int check_end(const char *str, const char *end); 75 static int join(char buf[], size_t buf_size, const char *name, 76 const char *tail, const char *desc); 77 static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, 78 int *pkey_type, long *pkeylen, 79 char **palgnam, ENGINE *keygen_engine); 80 static CONF *req_conf = NULL; 81 static CONF *addext_conf = NULL; 82 static int batch = 0; 83 84 typedef enum OPTION_choice { 85 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, 86 OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY, 87 OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT, 88 OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY, 89 OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS, 90 OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, 91 OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, 92 OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS, 93 OPT_REQEXTS, OPT_PRECERT, OPT_MD, 94 OPT_R_ENUM 95 } OPTION_CHOICE; 96 97 const OPTIONS req_options[] = { 98 {"help", OPT_HELP, '-', "Display this summary"}, 99 {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, 100 {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, 101 {"in", OPT_IN, '<', "Input file"}, 102 {"out", OPT_OUT, '>', "Output file"}, 103 {"key", OPT_KEY, 's', "Private key to use"}, 104 {"keyform", OPT_KEYFORM, 'f', "Key file format"}, 105 {"pubkey", OPT_PUBKEY, '-', "Output public key"}, 106 {"new", OPT_NEW, '-', "New request"}, 107 {"config", OPT_CONFIG, '<', "Request template file"}, 108 {"keyout", OPT_KEYOUT, '>', "File to send the key to"}, 109 {"passin", OPT_PASSIN, 's', "Private key password source"}, 110 {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, 111 OPT_R_OPTIONS, 112 {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"}, 113 {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, 114 {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, 115 {"batch", OPT_BATCH, '-', 116 "Do not ask anything during request generation"}, 117 {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"}, 118 {"modulus", OPT_MODULUS, '-', "RSA modulus"}, 119 {"verify", OPT_VERIFY, '-', "Verify signature on REQ"}, 120 {"nodes", OPT_NODES, '-', "Don't encrypt the output key"}, 121 {"noout", OPT_NOOUT, '-', "Do not output REQ"}, 122 {"verbose", OPT_VERBOSE, '-', "Verbose output"}, 123 {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, 124 {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, 125 {"reqopt", OPT_REQOPT, 's', "Various request text options"}, 126 {"text", OPT_TEXT, '-', "Text form of request"}, 127 {"x509", OPT_X509, '-', 128 "Output a x509 structure instead of a cert request"}, 129 {OPT_MORE_STR, 1, 1, "(Required by some CA's)"}, 130 {"subj", OPT_SUBJ, 's', "Set or modify request subject"}, 131 {"subject", OPT_SUBJECT, '-', "Output the request's subject"}, 132 {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', 133 "Enable support for multivalued RDNs"}, 134 {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, 135 {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, 136 {"addext", OPT_ADDEXT, 's', 137 "Additional cert extension key=value pair (may be given more than once)"}, 138 {"extensions", OPT_EXTENSIONS, 's', 139 "Cert extension section (override value in config file)"}, 140 {"reqexts", OPT_REQEXTS, 's', 141 "Request extension section (override value in config file)"}, 142 {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"}, 143 {"", OPT_MD, '-', "Any supported digest"}, 144 #ifndef OPENSSL_NO_ENGINE 145 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 146 {"keygen_engine", OPT_KEYGEN_ENGINE, 's', 147 "Specify engine to be used for key generation operations"}, 148 #endif 149 {NULL} 150 }; 151 152 153 /* 154 * An LHASH of strings, where each string is an extension name. 155 */ 156 static unsigned long ext_name_hash(const OPENSSL_STRING *a) 157 { 158 return OPENSSL_LH_strhash((const char *)a); 159 } 160 161 static int ext_name_cmp(const OPENSSL_STRING *a, const OPENSSL_STRING *b) 162 { 163 return strcmp((const char *)a, (const char *)b); 164 } 165 166 static void exts_cleanup(OPENSSL_STRING *x) 167 { 168 OPENSSL_free((char *)x); 169 } 170 171 /* 172 * Is the |kv| key already duplicated? This is remarkably tricky to get 173 * right. Return 0 if unique, -1 on runtime error; 1 if found or a syntax 174 * error. 175 */ 176 static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) 177 { 178 char *p; 179 size_t off; 180 181 /* Check syntax. */ 182 /* Skip leading whitespace, make a copy. */ 183 while (*kv && isspace(*kv)) 184 if (*++kv == '\0') 185 return 1; 186 if ((p = strchr(kv, '=')) == NULL) 187 return 1; 188 off = p - kv; 189 if ((kv = OPENSSL_strdup(kv)) == NULL) 190 return -1; 191 192 /* Skip trailing space before the equal sign. */ 193 for (p = kv + off; p > kv; --p) 194 if (!isspace(p[-1])) 195 break; 196 if (p == kv) { 197 OPENSSL_free(kv); 198 return 1; 199 } 200 *p = '\0'; 201 202 /* Finally have a clean "key"; see if it's there [by attempt to add it]. */ 203 p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv); 204 if (p != NULL) { 205 OPENSSL_free(p); 206 return 1; 207 } else if (lh_OPENSSL_STRING_error(addexts)) { 208 OPENSSL_free(kv); 209 return -1; 210 } 211 212 return 0; 213 } 214 215 int req_main(int argc, char **argv) 216 { 217 ASN1_INTEGER *serial = NULL; 218 BIO *in = NULL, *out = NULL; 219 ENGINE *e = NULL, *gen_eng = NULL; 220 EVP_PKEY *pkey = NULL; 221 EVP_PKEY_CTX *genctx = NULL; 222 STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL; 223 LHASH_OF(OPENSSL_STRING) *addexts = NULL; 224 X509 *x509ss = NULL; 225 X509_REQ *req = NULL; 226 const EVP_CIPHER *cipher = NULL; 227 const EVP_MD *md_alg = NULL, *digest = NULL; 228 BIO *addext_bio = NULL; 229 char *extensions = NULL, *infile = NULL; 230 char *outfile = NULL, *keyfile = NULL; 231 char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; 232 char *passin = NULL, *passout = NULL; 233 char *nofree_passin = NULL, *nofree_passout = NULL; 234 char *req_exts = NULL, *subj = NULL; 235 char *template = default_config_file, *keyout = NULL; 236 const char *keyalg = NULL; 237 OPTION_CHOICE o; 238 int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0; 239 int pkey_type = -1, private = 0; 240 int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; 241 int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0; 242 int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; 243 long newkey = -1; 244 unsigned long chtype = MBSTRING_ASC, reqflag = 0; 245 246 #ifndef OPENSSL_NO_DES 247 cipher = EVP_des_ede3_cbc(); 248 #endif 249 250 prog = opt_init(argc, argv, req_options); 251 while ((o = opt_next()) != OPT_EOF) { 252 switch (o) { 253 case OPT_EOF: 254 case OPT_ERR: 255 opthelp: 256 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 257 goto end; 258 case OPT_HELP: 259 opt_help(req_options); 260 ret = 0; 261 goto end; 262 case OPT_INFORM: 263 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) 264 goto opthelp; 265 break; 266 case OPT_OUTFORM: 267 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) 268 goto opthelp; 269 break; 270 case OPT_ENGINE: 271 e = setup_engine(opt_arg(), 0); 272 break; 273 case OPT_KEYGEN_ENGINE: 274 #ifndef OPENSSL_NO_ENGINE 275 gen_eng = ENGINE_by_id(opt_arg()); 276 if (gen_eng == NULL) { 277 BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); 278 goto opthelp; 279 } 280 #endif 281 break; 282 case OPT_KEY: 283 keyfile = opt_arg(); 284 break; 285 case OPT_PUBKEY: 286 pubkey = 1; 287 break; 288 case OPT_NEW: 289 newreq = 1; 290 break; 291 case OPT_CONFIG: 292 template = opt_arg(); 293 break; 294 case OPT_KEYFORM: 295 if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) 296 goto opthelp; 297 break; 298 case OPT_IN: 299 infile = opt_arg(); 300 break; 301 case OPT_OUT: 302 outfile = opt_arg(); 303 break; 304 case OPT_KEYOUT: 305 keyout = opt_arg(); 306 break; 307 case OPT_PASSIN: 308 passargin = opt_arg(); 309 break; 310 case OPT_PASSOUT: 311 passargout = opt_arg(); 312 break; 313 case OPT_R_CASES: 314 if (!opt_rand(o)) 315 goto end; 316 break; 317 case OPT_NEWKEY: 318 keyalg = opt_arg(); 319 newreq = 1; 320 break; 321 case OPT_PKEYOPT: 322 if (!pkeyopts) 323 pkeyopts = sk_OPENSSL_STRING_new_null(); 324 if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg())) 325 goto opthelp; 326 break; 327 case OPT_SIGOPT: 328 if (!sigopts) 329 sigopts = sk_OPENSSL_STRING_new_null(); 330 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) 331 goto opthelp; 332 break; 333 case OPT_BATCH: 334 batch = 1; 335 break; 336 case OPT_NEWHDR: 337 newhdr = 1; 338 break; 339 case OPT_MODULUS: 340 modulus = 1; 341 break; 342 case OPT_VERIFY: 343 verify = 1; 344 break; 345 case OPT_NODES: 346 nodes = 1; 347 break; 348 case OPT_NOOUT: 349 noout = 1; 350 break; 351 case OPT_VERBOSE: 352 verbose = 1; 353 break; 354 case OPT_UTF8: 355 chtype = MBSTRING_UTF8; 356 break; 357 case OPT_NAMEOPT: 358 if (!set_nameopt(opt_arg())) 359 goto opthelp; 360 break; 361 case OPT_REQOPT: 362 if (!set_cert_ex(&reqflag, opt_arg())) 363 goto opthelp; 364 break; 365 case OPT_TEXT: 366 text = 1; 367 break; 368 case OPT_X509: 369 x509 = 1; 370 break; 371 case OPT_DAYS: 372 days = atoi(opt_arg()); 373 break; 374 case OPT_SET_SERIAL: 375 if (serial != NULL) { 376 BIO_printf(bio_err, "Serial number supplied twice\n"); 377 goto opthelp; 378 } 379 serial = s2i_ASN1_INTEGER(NULL, opt_arg()); 380 if (serial == NULL) 381 goto opthelp; 382 break; 383 case OPT_SUBJECT: 384 subject = 1; 385 break; 386 case OPT_SUBJ: 387 subj = opt_arg(); 388 break; 389 case OPT_MULTIVALUE_RDN: 390 multirdn = 1; 391 break; 392 case OPT_ADDEXT: 393 p = opt_arg(); 394 if (addexts == NULL) { 395 addexts = lh_OPENSSL_STRING_new(ext_name_hash, ext_name_cmp); 396 addext_bio = BIO_new(BIO_s_mem()); 397 if (addexts == NULL || addext_bio == NULL) 398 goto end; 399 } 400 i = duplicated(addexts, p); 401 if (i == 1) 402 goto opthelp; 403 if (i < 0 || BIO_printf(addext_bio, "%s\n", opt_arg()) < 0) 404 goto end; 405 break; 406 case OPT_EXTENSIONS: 407 extensions = opt_arg(); 408 break; 409 case OPT_REQEXTS: 410 req_exts = opt_arg(); 411 break; 412 case OPT_PRECERT: 413 newreq = precert = 1; 414 break; 415 case OPT_MD: 416 if (!opt_md(opt_unknown(), &md_alg)) 417 goto opthelp; 418 digest = md_alg; 419 break; 420 } 421 } 422 argc = opt_num_rest(); 423 if (argc != 0) 424 goto opthelp; 425 426 if (days && !x509) 427 BIO_printf(bio_err, "Ignoring -days; not generating a certificate\n"); 428 if (x509 && infile == NULL) 429 newreq = 1; 430 431 /* TODO: simplify this as pkey is still always NULL here */ 432 private = newreq && (pkey == NULL) ? 1 : 0; 433 434 if (!app_passwd(passargin, passargout, &passin, &passout)) { 435 BIO_printf(bio_err, "Error getting passwords\n"); 436 goto end; 437 } 438 439 if (verbose) 440 BIO_printf(bio_err, "Using configuration from %s\n", template); 441 if ((req_conf = app_load_config(template)) == NULL) 442 goto end; 443 if (addext_bio) { 444 if (verbose) 445 BIO_printf(bio_err, 446 "Using additional configuration from command line\n"); 447 if ((addext_conf = app_load_config_bio(addext_bio, NULL)) == NULL) 448 goto end; 449 } 450 if (template != default_config_file && !app_load_modules(req_conf)) 451 goto end; 452 453 if (req_conf != NULL) { 454 p = NCONF_get_string(req_conf, NULL, "oid_file"); 455 if (p == NULL) 456 ERR_clear_error(); 457 if (p != NULL) { 458 BIO *oid_bio; 459 460 oid_bio = BIO_new_file(p, "r"); 461 if (oid_bio == NULL) { 462 /*- 463 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); 464 ERR_print_errors(bio_err); 465 */ 466 } else { 467 OBJ_create_objects(oid_bio); 468 BIO_free(oid_bio); 469 } 470 } 471 } 472 if (!add_oid_section(req_conf)) 473 goto end; 474 475 if (md_alg == NULL) { 476 p = NCONF_get_string(req_conf, SECTION, "default_md"); 477 if (p == NULL) { 478 ERR_clear_error(); 479 } else { 480 if (!opt_md(p, &md_alg)) 481 goto opthelp; 482 digest = md_alg; 483 } 484 } 485 486 if (extensions == NULL) { 487 extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS); 488 if (extensions == NULL) 489 ERR_clear_error(); 490 } 491 if (extensions != NULL) { 492 /* Check syntax of file */ 493 X509V3_CTX ctx; 494 X509V3_set_ctx_test(&ctx); 495 X509V3_set_nconf(&ctx, req_conf); 496 if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) { 497 BIO_printf(bio_err, 498 "Error Loading extension section %s\n", extensions); 499 goto end; 500 } 501 } 502 if (addext_conf != NULL) { 503 /* Check syntax of command line extensions */ 504 X509V3_CTX ctx; 505 X509V3_set_ctx_test(&ctx); 506 X509V3_set_nconf(&ctx, addext_conf); 507 if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) { 508 BIO_printf(bio_err, "Error Loading command line extensions\n"); 509 goto end; 510 } 511 } 512 513 if (passin == NULL) { 514 passin = nofree_passin = 515 NCONF_get_string(req_conf, SECTION, "input_password"); 516 if (passin == NULL) 517 ERR_clear_error(); 518 } 519 520 if (passout == NULL) { 521 passout = nofree_passout = 522 NCONF_get_string(req_conf, SECTION, "output_password"); 523 if (passout == NULL) 524 ERR_clear_error(); 525 } 526 527 p = NCONF_get_string(req_conf, SECTION, STRING_MASK); 528 if (p == NULL) 529 ERR_clear_error(); 530 531 if (p != NULL && !ASN1_STRING_set_default_mask_asc(p)) { 532 BIO_printf(bio_err, "Invalid global string mask setting %s\n", p); 533 goto end; 534 } 535 536 if (chtype != MBSTRING_UTF8) { 537 p = NCONF_get_string(req_conf, SECTION, UTF8_IN); 538 if (p == NULL) 539 ERR_clear_error(); 540 else if (strcmp(p, "yes") == 0) 541 chtype = MBSTRING_UTF8; 542 } 543 544 if (req_exts == NULL) { 545 req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS); 546 if (req_exts == NULL) 547 ERR_clear_error(); 548 } 549 if (req_exts != NULL) { 550 /* Check syntax of file */ 551 X509V3_CTX ctx; 552 X509V3_set_ctx_test(&ctx); 553 X509V3_set_nconf(&ctx, req_conf); 554 if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) { 555 BIO_printf(bio_err, 556 "Error Loading request extension section %s\n", 557 req_exts); 558 goto end; 559 } 560 } 561 562 if (keyfile != NULL) { 563 pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key"); 564 if (pkey == NULL) { 565 /* load_key() has already printed an appropriate message */ 566 goto end; 567 } else { 568 app_RAND_load_conf(req_conf, SECTION); 569 } 570 } 571 572 if (newreq && (pkey == NULL)) { 573 app_RAND_load_conf(req_conf, SECTION); 574 575 if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) { 576 newkey = DEFAULT_KEY_LENGTH; 577 } 578 579 if (keyalg != NULL) { 580 genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey, 581 &keyalgstr, gen_eng); 582 if (genctx == NULL) 583 goto end; 584 } 585 586 if (newkey < MIN_KEY_LENGTH 587 && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { 588 BIO_printf(bio_err, "private key length is too short,\n"); 589 BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n", 590 MIN_KEY_LENGTH, newkey); 591 goto end; 592 } 593 594 if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS) 595 BIO_printf(bio_err, 596 "Warning: It is not recommended to use more than %d bit for RSA keys.\n" 597 " Your key size is %ld! Larger key size may behave not as expected.\n", 598 OPENSSL_RSA_MAX_MODULUS_BITS, newkey); 599 600 #ifndef OPENSSL_NO_DSA 601 if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS) 602 BIO_printf(bio_err, 603 "Warning: It is not recommended to use more than %d bit for DSA keys.\n" 604 " Your key size is %ld! Larger key size may behave not as expected.\n", 605 OPENSSL_DSA_MAX_MODULUS_BITS, newkey); 606 #endif 607 608 if (genctx == NULL) { 609 genctx = set_keygen_ctx(NULL, &pkey_type, &newkey, 610 &keyalgstr, gen_eng); 611 if (!genctx) 612 goto end; 613 } 614 615 if (pkeyopts != NULL) { 616 char *genopt; 617 for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) { 618 genopt = sk_OPENSSL_STRING_value(pkeyopts, i); 619 if (pkey_ctrl_string(genctx, genopt) <= 0) { 620 BIO_printf(bio_err, "parameter error \"%s\"\n", genopt); 621 ERR_print_errors(bio_err); 622 goto end; 623 } 624 } 625 } 626 627 if (pkey_type == EVP_PKEY_EC) { 628 BIO_printf(bio_err, "Generating an EC private key\n"); 629 } else { 630 BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr); 631 } 632 633 EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); 634 EVP_PKEY_CTX_set_app_data(genctx, bio_err); 635 636 if (EVP_PKEY_keygen(genctx, &pkey) <= 0) { 637 BIO_puts(bio_err, "Error Generating Key\n"); 638 goto end; 639 } 640 641 EVP_PKEY_CTX_free(genctx); 642 genctx = NULL; 643 644 if (keyout == NULL) { 645 keyout = NCONF_get_string(req_conf, SECTION, KEYFILE); 646 if (keyout == NULL) 647 ERR_clear_error(); 648 } 649 650 if (keyout == NULL) 651 BIO_printf(bio_err, "writing new private key to stdout\n"); 652 else 653 BIO_printf(bio_err, "writing new private key to '%s'\n", keyout); 654 out = bio_open_owner(keyout, outformat, private); 655 if (out == NULL) 656 goto end; 657 658 p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key"); 659 if (p == NULL) { 660 ERR_clear_error(); 661 p = NCONF_get_string(req_conf, SECTION, "encrypt_key"); 662 if (p == NULL) 663 ERR_clear_error(); 664 } 665 if ((p != NULL) && (strcmp(p, "no") == 0)) 666 cipher = NULL; 667 if (nodes) 668 cipher = NULL; 669 670 i = 0; 671 loop: 672 assert(private); 673 if (!PEM_write_bio_PrivateKey(out, pkey, cipher, 674 NULL, 0, NULL, passout)) { 675 if ((ERR_GET_REASON(ERR_peek_error()) == 676 PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) { 677 ERR_clear_error(); 678 i++; 679 goto loop; 680 } 681 goto end; 682 } 683 BIO_free(out); 684 out = NULL; 685 BIO_printf(bio_err, "-----\n"); 686 } 687 688 if (!newreq) { 689 in = bio_open_default(infile, 'r', informat); 690 if (in == NULL) 691 goto end; 692 693 if (informat == FORMAT_ASN1) 694 req = d2i_X509_REQ_bio(in, NULL); 695 else 696 req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); 697 if (req == NULL) { 698 BIO_printf(bio_err, "unable to load X509 request\n"); 699 goto end; 700 } 701 } 702 703 if (newreq || x509) { 704 if (pkey == NULL) { 705 BIO_printf(bio_err, "you need to specify a private key\n"); 706 goto end; 707 } 708 709 if (req == NULL) { 710 req = X509_REQ_new(); 711 if (req == NULL) { 712 goto end; 713 } 714 715 i = make_REQ(req, pkey, subj, multirdn, !x509, chtype); 716 subj = NULL; /* done processing '-subj' option */ 717 if (!i) { 718 BIO_printf(bio_err, "problems making Certificate Request\n"); 719 goto end; 720 } 721 } 722 if (x509) { 723 EVP_PKEY *tmppkey; 724 X509V3_CTX ext_ctx; 725 if ((x509ss = X509_new()) == NULL) 726 goto end; 727 728 /* Set version to V3 */ 729 if ((extensions != NULL || addext_conf != NULL) 730 && !X509_set_version(x509ss, 2)) 731 goto end; 732 if (serial != NULL) { 733 if (!X509_set_serialNumber(x509ss, serial)) 734 goto end; 735 } else { 736 if (!rand_serial(NULL, X509_get_serialNumber(x509ss))) 737 goto end; 738 } 739 740 if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) 741 goto end; 742 if (days == 0) { 743 /* set default days if it's not specified */ 744 days = 30; 745 } 746 if (!set_cert_times(x509ss, NULL, NULL, days)) 747 goto end; 748 if (!X509_set_subject_name 749 (x509ss, X509_REQ_get_subject_name(req))) 750 goto end; 751 tmppkey = X509_REQ_get0_pubkey(req); 752 if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey)) 753 goto end; 754 755 /* Set up V3 context struct */ 756 757 X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0); 758 X509V3_set_nconf(&ext_ctx, req_conf); 759 760 /* Add extensions */ 761 if (extensions != NULL && !X509V3_EXT_add_nconf(req_conf, 762 &ext_ctx, extensions, 763 x509ss)) { 764 BIO_printf(bio_err, "Error Loading extension section %s\n", 765 extensions); 766 goto end; 767 } 768 if (addext_conf != NULL 769 && !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default", 770 x509ss)) { 771 BIO_printf(bio_err, "Error Loading command line extensions\n"); 772 goto end; 773 } 774 775 /* If a pre-cert was requested, we need to add a poison extension */ 776 if (precert) { 777 if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0) 778 != 1) { 779 BIO_printf(bio_err, "Error adding poison extension\n"); 780 goto end; 781 } 782 } 783 784 i = do_X509_sign(x509ss, pkey, digest, sigopts); 785 if (!i) { 786 ERR_print_errors(bio_err); 787 goto end; 788 } 789 } else { 790 X509V3_CTX ext_ctx; 791 792 /* Set up V3 context struct */ 793 794 X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); 795 X509V3_set_nconf(&ext_ctx, req_conf); 796 797 /* Add extensions */ 798 if (req_exts != NULL 799 && !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx, 800 req_exts, req)) { 801 BIO_printf(bio_err, "Error Loading extension section %s\n", 802 req_exts); 803 goto end; 804 } 805 if (addext_conf != NULL 806 && !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default", 807 req)) { 808 BIO_printf(bio_err, "Error Loading command line extensions\n"); 809 goto end; 810 } 811 i = do_X509_REQ_sign(req, pkey, digest, sigopts); 812 if (!i) { 813 ERR_print_errors(bio_err); 814 goto end; 815 } 816 } 817 } 818 819 if (subj && x509) { 820 BIO_printf(bio_err, "Cannot modify certificate subject\n"); 821 goto end; 822 } 823 824 if (subj && !x509) { 825 if (verbose) { 826 BIO_printf(bio_err, "Modifying Request's Subject\n"); 827 print_name(bio_err, "old subject=", 828 X509_REQ_get_subject_name(req), get_nameopt()); 829 } 830 831 if (build_subject(req, subj, chtype, multirdn) == 0) { 832 BIO_printf(bio_err, "ERROR: cannot modify subject\n"); 833 ret = 1; 834 goto end; 835 } 836 837 if (verbose) { 838 print_name(bio_err, "new subject=", 839 X509_REQ_get_subject_name(req), get_nameopt()); 840 } 841 } 842 843 if (verify && !x509) { 844 EVP_PKEY *tpubkey = pkey; 845 846 if (tpubkey == NULL) { 847 tpubkey = X509_REQ_get0_pubkey(req); 848 if (tpubkey == NULL) 849 goto end; 850 } 851 852 i = X509_REQ_verify(req, tpubkey); 853 854 if (i < 0) { 855 goto end; 856 } else if (i == 0) { 857 BIO_printf(bio_err, "verify failure\n"); 858 ERR_print_errors(bio_err); 859 } else { /* if (i > 0) */ 860 BIO_printf(bio_err, "verify OK\n"); 861 } 862 } 863 864 if (noout && !text && !modulus && !subject && !pubkey) { 865 ret = 0; 866 goto end; 867 } 868 869 out = bio_open_default(outfile, 870 keyout != NULL && outfile != NULL && 871 strcmp(keyout, outfile) == 0 ? 'a' : 'w', 872 outformat); 873 if (out == NULL) 874 goto end; 875 876 if (pubkey) { 877 EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req); 878 879 if (tpubkey == NULL) { 880 BIO_printf(bio_err, "Error getting public key\n"); 881 ERR_print_errors(bio_err); 882 goto end; 883 } 884 PEM_write_bio_PUBKEY(out, tpubkey); 885 } 886 887 if (text) { 888 if (x509) 889 ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag); 890 else 891 ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag); 892 893 if (ret == 0) { 894 if (x509) 895 BIO_printf(bio_err, "Error printing certificate\n"); 896 else 897 BIO_printf(bio_err, "Error printing certificate request\n"); 898 899 ERR_print_errors(bio_err); 900 goto end; 901 } 902 } 903 904 if (subject) { 905 if (x509) 906 print_name(out, "subject=", X509_get_subject_name(x509ss), 907 get_nameopt()); 908 else 909 print_name(out, "subject=", X509_REQ_get_subject_name(req), 910 get_nameopt()); 911 } 912 913 if (modulus) { 914 EVP_PKEY *tpubkey; 915 916 if (x509) 917 tpubkey = X509_get0_pubkey(x509ss); 918 else 919 tpubkey = X509_REQ_get0_pubkey(req); 920 if (tpubkey == NULL) { 921 fprintf(stdout, "Modulus=unavailable\n"); 922 goto end; 923 } 924 fprintf(stdout, "Modulus="); 925 #ifndef OPENSSL_NO_RSA 926 if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) { 927 const BIGNUM *n; 928 RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL); 929 BN_print(out, n); 930 } else 931 #endif 932 fprintf(stdout, "Wrong Algorithm type"); 933 fprintf(stdout, "\n"); 934 } 935 936 if (!noout && !x509) { 937 if (outformat == FORMAT_ASN1) 938 i = i2d_X509_REQ_bio(out, req); 939 else if (newhdr) 940 i = PEM_write_bio_X509_REQ_NEW(out, req); 941 else 942 i = PEM_write_bio_X509_REQ(out, req); 943 if (!i) { 944 BIO_printf(bio_err, "unable to write X509 request\n"); 945 goto end; 946 } 947 } 948 if (!noout && x509 && (x509ss != NULL)) { 949 if (outformat == FORMAT_ASN1) 950 i = i2d_X509_bio(out, x509ss); 951 else 952 i = PEM_write_bio_X509(out, x509ss); 953 if (!i) { 954 BIO_printf(bio_err, "unable to write X509 certificate\n"); 955 goto end; 956 } 957 } 958 ret = 0; 959 end: 960 if (ret) { 961 ERR_print_errors(bio_err); 962 } 963 NCONF_free(req_conf); 964 NCONF_free(addext_conf); 965 BIO_free(addext_bio); 966 BIO_free(in); 967 BIO_free_all(out); 968 EVP_PKEY_free(pkey); 969 EVP_PKEY_CTX_free(genctx); 970 sk_OPENSSL_STRING_free(pkeyopts); 971 sk_OPENSSL_STRING_free(sigopts); 972 lh_OPENSSL_STRING_doall(addexts, exts_cleanup); 973 lh_OPENSSL_STRING_free(addexts); 974 #ifndef OPENSSL_NO_ENGINE 975 ENGINE_free(gen_eng); 976 #endif 977 OPENSSL_free(keyalgstr); 978 X509_REQ_free(req); 979 X509_free(x509ss); 980 ASN1_INTEGER_free(serial); 981 release_engine(e); 982 if (passin != nofree_passin) 983 OPENSSL_free(passin); 984 if (passout != nofree_passout) 985 OPENSSL_free(passout); 986 return ret; 987 } 988 989 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, 990 int attribs, unsigned long chtype) 991 { 992 int ret = 0, i; 993 char no_prompt = 0; 994 STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL; 995 char *tmp, *dn_sect, *attr_sect; 996 997 tmp = NCONF_get_string(req_conf, SECTION, PROMPT); 998 if (tmp == NULL) 999 ERR_clear_error(); 1000 if ((tmp != NULL) && strcmp(tmp, "no") == 0) 1001 no_prompt = 1; 1002 1003 dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME); 1004 if (dn_sect == NULL) { 1005 BIO_printf(bio_err, "unable to find '%s' in config\n", 1006 DISTINGUISHED_NAME); 1007 goto err; 1008 } 1009 dn_sk = NCONF_get_section(req_conf, dn_sect); 1010 if (dn_sk == NULL) { 1011 BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect); 1012 goto err; 1013 } 1014 1015 attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES); 1016 if (attr_sect == NULL) { 1017 ERR_clear_error(); 1018 attr_sk = NULL; 1019 } else { 1020 attr_sk = NCONF_get_section(req_conf, attr_sect); 1021 if (attr_sk == NULL) { 1022 BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect); 1023 goto err; 1024 } 1025 } 1026 1027 /* setup version number */ 1028 if (!X509_REQ_set_version(req, 0L)) 1029 goto err; /* version 1 */ 1030 1031 if (subj) 1032 i = build_subject(req, subj, chtype, multirdn); 1033 else if (no_prompt) 1034 i = auto_info(req, dn_sk, attr_sk, attribs, chtype); 1035 else 1036 i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, 1037 chtype); 1038 if (!i) 1039 goto err; 1040 1041 if (!X509_REQ_set_pubkey(req, pkey)) 1042 goto err; 1043 1044 ret = 1; 1045 err: 1046 return ret; 1047 } 1048 1049 /* 1050 * subject is expected to be in the format /type0=value0/type1=value1/type2=... 1051 * where characters may be escaped by \ 1052 */ 1053 static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype, 1054 int multirdn) 1055 { 1056 X509_NAME *n; 1057 1058 if ((n = parse_name(subject, chtype, multirdn)) == NULL) 1059 return 0; 1060 1061 if (!X509_REQ_set_subject_name(req, n)) { 1062 X509_NAME_free(n); 1063 return 0; 1064 } 1065 X509_NAME_free(n); 1066 return 1; 1067 } 1068 1069 static int prompt_info(X509_REQ *req, 1070 STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, 1071 STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, 1072 int attribs, unsigned long chtype) 1073 { 1074 int i; 1075 char *p, *q; 1076 char buf[100]; 1077 int nid, mval; 1078 long n_min, n_max; 1079 char *type, *value; 1080 const char *def; 1081 CONF_VALUE *v; 1082 X509_NAME *subj; 1083 subj = X509_REQ_get_subject_name(req); 1084 1085 if (!batch) { 1086 BIO_printf(bio_err, 1087 "You are about to be asked to enter information that will be incorporated\n"); 1088 BIO_printf(bio_err, "into your certificate request.\n"); 1089 BIO_printf(bio_err, 1090 "What you are about to enter is what is called a Distinguished Name or a DN.\n"); 1091 BIO_printf(bio_err, 1092 "There are quite a few fields but you can leave some blank\n"); 1093 BIO_printf(bio_err, 1094 "For some fields there will be a default value,\n"); 1095 BIO_printf(bio_err, 1096 "If you enter '.', the field will be left blank.\n"); 1097 BIO_printf(bio_err, "-----\n"); 1098 } 1099 1100 if (sk_CONF_VALUE_num(dn_sk)) { 1101 i = -1; 1102 start: 1103 for ( ; ; ) { 1104 i++; 1105 if (sk_CONF_VALUE_num(dn_sk) <= i) 1106 break; 1107 1108 v = sk_CONF_VALUE_value(dn_sk, i); 1109 p = q = NULL; 1110 type = v->name; 1111 if (!check_end(type, "_min") || !check_end(type, "_max") || 1112 !check_end(type, "_default") || !check_end(type, "_value")) 1113 continue; 1114 /* 1115 * Skip past any leading X. X: X, etc to allow for multiple 1116 * instances 1117 */ 1118 for (p = v->name; *p; p++) 1119 if ((*p == ':') || (*p == ',') || (*p == '.')) { 1120 p++; 1121 if (*p) 1122 type = p; 1123 break; 1124 } 1125 if (*type == '+') { 1126 mval = -1; 1127 type++; 1128 } else { 1129 mval = 0; 1130 } 1131 /* If OBJ not recognised ignore it */ 1132 if ((nid = OBJ_txt2nid(type)) == NID_undef) 1133 goto start; 1134 if (!join(buf, sizeof(buf), v->name, "_default", "Name")) 1135 return 0; 1136 if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { 1137 ERR_clear_error(); 1138 def = ""; 1139 } 1140 1141 if (!join(buf, sizeof(buf), v->name, "_value", "Name")) 1142 return 0; 1143 if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { 1144 ERR_clear_error(); 1145 value = NULL; 1146 } 1147 1148 if (!join(buf, sizeof(buf), v->name, "_min", "Name")) 1149 return 0; 1150 if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) { 1151 ERR_clear_error(); 1152 n_min = -1; 1153 } 1154 1155 1156 if (!join(buf, sizeof(buf), v->name, "_max", "Name")) 1157 return 0; 1158 if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) { 1159 ERR_clear_error(); 1160 n_max = -1; 1161 } 1162 1163 if (!add_DN_object(subj, v->value, def, value, nid, 1164 n_min, n_max, chtype, mval)) 1165 return 0; 1166 } 1167 if (X509_NAME_entry_count(subj) == 0) { 1168 BIO_printf(bio_err, 1169 "error, no objects specified in config file\n"); 1170 return 0; 1171 } 1172 1173 if (attribs) { 1174 if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) 1175 && (!batch)) { 1176 BIO_printf(bio_err, 1177 "\nPlease enter the following 'extra' attributes\n"); 1178 BIO_printf(bio_err, 1179 "to be sent with your certificate request\n"); 1180 } 1181 1182 i = -1; 1183 start2: 1184 for ( ; ; ) { 1185 i++; 1186 if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i)) 1187 break; 1188 1189 v = sk_CONF_VALUE_value(attr_sk, i); 1190 type = v->name; 1191 if ((nid = OBJ_txt2nid(type)) == NID_undef) 1192 goto start2; 1193 1194 if (!join(buf, sizeof(buf), type, "_default", "Name")) 1195 return 0; 1196 if ((def = NCONF_get_string(req_conf, attr_sect, buf)) 1197 == NULL) { 1198 ERR_clear_error(); 1199 def = ""; 1200 } 1201 1202 if (!join(buf, sizeof(buf), type, "_value", "Name")) 1203 return 0; 1204 if ((value = NCONF_get_string(req_conf, attr_sect, buf)) 1205 == NULL) { 1206 ERR_clear_error(); 1207 value = NULL; 1208 } 1209 1210 if (!join(buf, sizeof(buf), type,"_min", "Name")) 1211 return 0; 1212 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) { 1213 ERR_clear_error(); 1214 n_min = -1; 1215 } 1216 1217 if (!join(buf, sizeof(buf), type, "_max", "Name")) 1218 return 0; 1219 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) { 1220 ERR_clear_error(); 1221 n_max = -1; 1222 } 1223 1224 if (!add_attribute_object(req, 1225 v->value, def, value, nid, n_min, 1226 n_max, chtype)) 1227 return 0; 1228 } 1229 } 1230 } else { 1231 BIO_printf(bio_err, "No template, please set one up.\n"); 1232 return 0; 1233 } 1234 1235 return 1; 1236 1237 } 1238 1239 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, 1240 STACK_OF(CONF_VALUE) *attr_sk, int attribs, 1241 unsigned long chtype) 1242 { 1243 int i, spec_char, plus_char; 1244 char *p, *q; 1245 char *type; 1246 CONF_VALUE *v; 1247 X509_NAME *subj; 1248 1249 subj = X509_REQ_get_subject_name(req); 1250 1251 for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) { 1252 int mval; 1253 v = sk_CONF_VALUE_value(dn_sk, i); 1254 p = q = NULL; 1255 type = v->name; 1256 /* 1257 * Skip past any leading X. X: X, etc to allow for multiple instances 1258 */ 1259 for (p = v->name; *p; p++) { 1260 #ifndef CHARSET_EBCDIC 1261 spec_char = ((*p == ':') || (*p == ',') || (*p == '.')); 1262 #else 1263 spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[',']) 1264 || (*p == os_toascii['.'])); 1265 #endif 1266 if (spec_char) { 1267 p++; 1268 if (*p) 1269 type = p; 1270 break; 1271 } 1272 } 1273 #ifndef CHARSET_EBCDIC 1274 plus_char = (*type == '+'); 1275 #else 1276 plus_char = (*type == os_toascii['+']); 1277 #endif 1278 if (plus_char) { 1279 type++; 1280 mval = -1; 1281 } else { 1282 mval = 0; 1283 } 1284 if (!X509_NAME_add_entry_by_txt(subj, type, chtype, 1285 (unsigned char *)v->value, -1, -1, 1286 mval)) 1287 return 0; 1288 1289 } 1290 1291 if (!X509_NAME_entry_count(subj)) { 1292 BIO_printf(bio_err, "error, no objects specified in config file\n"); 1293 return 0; 1294 } 1295 if (attribs) { 1296 for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) { 1297 v = sk_CONF_VALUE_value(attr_sk, i); 1298 if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype, 1299 (unsigned char *)v->value, -1)) 1300 return 0; 1301 } 1302 } 1303 return 1; 1304 } 1305 1306 static int add_DN_object(X509_NAME *n, char *text, const char *def, 1307 char *value, int nid, int n_min, int n_max, 1308 unsigned long chtype, int mval) 1309 { 1310 int ret = 0; 1311 char buf[1024]; 1312 1313 ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf), 1314 "DN value", "DN default"); 1315 if ((ret == 0) || (ret == 1)) 1316 return ret; 1317 ret = 1; 1318 1319 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, 1320 (unsigned char *)buf, -1, -1, mval)) 1321 ret = 0; 1322 1323 return ret; 1324 } 1325 1326 static int add_attribute_object(X509_REQ *req, char *text, const char *def, 1327 char *value, int nid, int n_min, 1328 int n_max, unsigned long chtype) 1329 { 1330 int ret = 0; 1331 char buf[1024]; 1332 1333 ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf), 1334 "Attribute value", "Attribute default"); 1335 if ((ret == 0) || (ret == 1)) 1336 return ret; 1337 ret = 1; 1338 1339 if (!X509_REQ_add1_attr_by_NID(req, nid, chtype, 1340 (unsigned char *)buf, -1)) { 1341 BIO_printf(bio_err, "Error adding attribute\n"); 1342 ERR_print_errors(bio_err); 1343 ret = 0; 1344 } 1345 1346 return ret; 1347 } 1348 1349 1350 static int build_data(char *text, const char *def, 1351 char *value, int n_min, int n_max, 1352 char *buf, const int buf_size, 1353 const char *desc1, const char *desc2 1354 ) 1355 { 1356 int i; 1357 start: 1358 if (!batch) 1359 BIO_printf(bio_err, "%s [%s]:", text, def); 1360 (void)BIO_flush(bio_err); 1361 if (value != NULL) { 1362 if (!join(buf, buf_size, value, "\n", desc1)) 1363 return 0; 1364 BIO_printf(bio_err, "%s\n", value); 1365 } else { 1366 buf[0] = '\0'; 1367 if (!batch) { 1368 if (!fgets(buf, buf_size, stdin)) 1369 return 0; 1370 } else { 1371 buf[0] = '\n'; 1372 buf[1] = '\0'; 1373 } 1374 } 1375 1376 if (buf[0] == '\0') 1377 return 0; 1378 if (buf[0] == '\n') { 1379 if ((def == NULL) || (def[0] == '\0')) 1380 return 1; 1381 if (!join(buf, buf_size, def, "\n", desc2)) 1382 return 0; 1383 } else if ((buf[0] == '.') && (buf[1] == '\n')) { 1384 return 1; 1385 } 1386 1387 i = strlen(buf); 1388 if (buf[i - 1] != '\n') { 1389 BIO_printf(bio_err, "weird input :-(\n"); 1390 return 0; 1391 } 1392 buf[--i] = '\0'; 1393 #ifdef CHARSET_EBCDIC 1394 ebcdic2ascii(buf, buf, i); 1395 #endif 1396 if (!req_check_len(i, n_min, n_max)) { 1397 if (batch || value) 1398 return 0; 1399 goto start; 1400 } 1401 return 2; 1402 } 1403 1404 static int req_check_len(int len, int n_min, int n_max) 1405 { 1406 if ((n_min > 0) && (len < n_min)) { 1407 BIO_printf(bio_err, 1408 "string is too short, it needs to be at least %d bytes long\n", 1409 n_min); 1410 return 0; 1411 } 1412 if ((n_max >= 0) && (len > n_max)) { 1413 BIO_printf(bio_err, 1414 "string is too long, it needs to be no more than %d bytes long\n", 1415 n_max); 1416 return 0; 1417 } 1418 return 1; 1419 } 1420 1421 /* Check if the end of a string matches 'end' */ 1422 static int check_end(const char *str, const char *end) 1423 { 1424 size_t elen, slen; 1425 const char *tmp; 1426 1427 elen = strlen(end); 1428 slen = strlen(str); 1429 if (elen > slen) 1430 return 1; 1431 tmp = str + slen - elen; 1432 return strcmp(tmp, end); 1433 } 1434 1435 /* 1436 * Merge the two strings together into the result buffer checking for 1437 * overflow and producing an error message if there is. 1438 */ 1439 static int join(char buf[], size_t buf_size, const char *name, 1440 const char *tail, const char *desc) 1441 { 1442 const size_t name_len = strlen(name), tail_len = strlen(tail); 1443 1444 if (name_len + tail_len + 1 > buf_size) { 1445 BIO_printf(bio_err, "%s '%s' too long\n", desc, name); 1446 return 0; 1447 } 1448 memcpy(buf, name, name_len); 1449 memcpy(buf + name_len, tail, tail_len + 1); 1450 return 1; 1451 } 1452 1453 static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, 1454 int *pkey_type, long *pkeylen, 1455 char **palgnam, ENGINE *keygen_engine) 1456 { 1457 EVP_PKEY_CTX *gctx = NULL; 1458 EVP_PKEY *param = NULL; 1459 long keylen = -1; 1460 BIO *pbio = NULL; 1461 const char *paramfile = NULL; 1462 1463 if (gstr == NULL) { 1464 *pkey_type = EVP_PKEY_RSA; 1465 keylen = *pkeylen; 1466 } else if (gstr[0] >= '0' && gstr[0] <= '9') { 1467 *pkey_type = EVP_PKEY_RSA; 1468 keylen = atol(gstr); 1469 *pkeylen = keylen; 1470 } else if (strncmp(gstr, "param:", 6) == 0) { 1471 paramfile = gstr + 6; 1472 } else { 1473 const char *p = strchr(gstr, ':'); 1474 int len; 1475 ENGINE *tmpeng; 1476 const EVP_PKEY_ASN1_METHOD *ameth; 1477 1478 if (p != NULL) 1479 len = p - gstr; 1480 else 1481 len = strlen(gstr); 1482 /* 1483 * The lookup of a the string will cover all engines so keep a note 1484 * of the implementation. 1485 */ 1486 1487 ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len); 1488 1489 if (ameth == NULL) { 1490 BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr); 1491 return NULL; 1492 } 1493 1494 EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth); 1495 #ifndef OPENSSL_NO_ENGINE 1496 ENGINE_finish(tmpeng); 1497 #endif 1498 if (*pkey_type == EVP_PKEY_RSA) { 1499 if (p != NULL) { 1500 keylen = atol(p + 1); 1501 *pkeylen = keylen; 1502 } else { 1503 keylen = *pkeylen; 1504 } 1505 } else if (p != NULL) { 1506 paramfile = p + 1; 1507 } 1508 } 1509 1510 if (paramfile != NULL) { 1511 pbio = BIO_new_file(paramfile, "r"); 1512 if (pbio == NULL) { 1513 BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile); 1514 return NULL; 1515 } 1516 param = PEM_read_bio_Parameters(pbio, NULL); 1517 1518 if (param == NULL) { 1519 X509 *x; 1520 1521 (void)BIO_reset(pbio); 1522 x = PEM_read_bio_X509(pbio, NULL, NULL, NULL); 1523 if (x != NULL) { 1524 param = X509_get_pubkey(x); 1525 X509_free(x); 1526 } 1527 } 1528 1529 BIO_free(pbio); 1530 1531 if (param == NULL) { 1532 BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile); 1533 return NULL; 1534 } 1535 if (*pkey_type == -1) { 1536 *pkey_type = EVP_PKEY_id(param); 1537 } else if (*pkey_type != EVP_PKEY_base_id(param)) { 1538 BIO_printf(bio_err, "Key Type does not match parameters\n"); 1539 EVP_PKEY_free(param); 1540 return NULL; 1541 } 1542 } 1543 1544 if (palgnam != NULL) { 1545 const EVP_PKEY_ASN1_METHOD *ameth; 1546 ENGINE *tmpeng; 1547 const char *anam; 1548 1549 ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type); 1550 if (ameth == NULL) { 1551 BIO_puts(bio_err, "Internal error: can't find key algorithm\n"); 1552 return NULL; 1553 } 1554 EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth); 1555 *palgnam = OPENSSL_strdup(anam); 1556 #ifndef OPENSSL_NO_ENGINE 1557 ENGINE_finish(tmpeng); 1558 #endif 1559 } 1560 1561 if (param != NULL) { 1562 gctx = EVP_PKEY_CTX_new(param, keygen_engine); 1563 *pkeylen = EVP_PKEY_bits(param); 1564 EVP_PKEY_free(param); 1565 } else { 1566 gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine); 1567 } 1568 1569 if (gctx == NULL) { 1570 BIO_puts(bio_err, "Error allocating keygen context\n"); 1571 ERR_print_errors(bio_err); 1572 return NULL; 1573 } 1574 1575 if (EVP_PKEY_keygen_init(gctx) <= 0) { 1576 BIO_puts(bio_err, "Error initializing keygen context\n"); 1577 ERR_print_errors(bio_err); 1578 EVP_PKEY_CTX_free(gctx); 1579 return NULL; 1580 } 1581 #ifndef OPENSSL_NO_RSA 1582 if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) { 1583 if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) { 1584 BIO_puts(bio_err, "Error setting RSA keysize\n"); 1585 ERR_print_errors(bio_err); 1586 EVP_PKEY_CTX_free(gctx); 1587 return NULL; 1588 } 1589 } 1590 #endif 1591 1592 return gctx; 1593 } 1594 1595 static int genpkey_cb(EVP_PKEY_CTX *ctx) 1596 { 1597 char c = '*'; 1598 BIO *b = EVP_PKEY_CTX_get_app_data(ctx); 1599 int p; 1600 p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); 1601 if (p == 0) 1602 c = '.'; 1603 if (p == 1) 1604 c = '+'; 1605 if (p == 2) 1606 c = '*'; 1607 if (p == 3) 1608 c = '\n'; 1609 BIO_write(b, &c, 1); 1610 (void)BIO_flush(b); 1611 return 1; 1612 } 1613 1614 static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, 1615 const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) 1616 { 1617 EVP_PKEY_CTX *pkctx = NULL; 1618 int i, def_nid; 1619 1620 if (ctx == NULL) 1621 return 0; 1622 /* 1623 * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory 1624 * for this algorithm. 1625 */ 1626 if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2 1627 && def_nid == NID_undef) { 1628 /* The signing algorithm requires there to be no digest */ 1629 md = NULL; 1630 } 1631 if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey)) 1632 return 0; 1633 for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { 1634 char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); 1635 if (pkey_ctrl_string(pkctx, sigopt) <= 0) { 1636 BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt); 1637 ERR_print_errors(bio_err); 1638 return 0; 1639 } 1640 } 1641 return 1; 1642 } 1643 1644 int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, 1645 STACK_OF(OPENSSL_STRING) *sigopts) 1646 { 1647 int rv; 1648 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 1649 1650 rv = do_sign_init(mctx, pkey, md, sigopts); 1651 if (rv > 0) 1652 rv = X509_sign_ctx(x, mctx); 1653 EVP_MD_CTX_free(mctx); 1654 return rv > 0 ? 1 : 0; 1655 } 1656 1657 int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, 1658 STACK_OF(OPENSSL_STRING) *sigopts) 1659 { 1660 int rv; 1661 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 1662 rv = do_sign_init(mctx, pkey, md, sigopts); 1663 if (rv > 0) 1664 rv = X509_REQ_sign_ctx(x, mctx); 1665 EVP_MD_CTX_free(mctx); 1666 return rv > 0 ? 1 : 0; 1667 } 1668 1669 int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, 1670 STACK_OF(OPENSSL_STRING) *sigopts) 1671 { 1672 int rv; 1673 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 1674 rv = do_sign_init(mctx, pkey, md, sigopts); 1675 if (rv > 0) 1676 rv = X509_CRL_sign_ctx(x, mctx); 1677 EVP_MD_CTX_free(mctx); 1678 return rv > 0 ? 1 : 0; 1679 } 1680