xref: /freebsd/crypto/openssl/apps/req.c (revision ec4deee4e4f2aef1b97d9424f25d04e91fd7dc10)
1 /*
2  * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <time.h>
13 #include <string.h>
14 #include <ctype.h>
15 #include "apps.h"
16 #include "progs.h"
17 #include <openssl/bio.h>
18 #include <openssl/evp.h>
19 #include <openssl/conf.h>
20 #include <openssl/err.h>
21 #include <openssl/asn1.h>
22 #include <openssl/x509.h>
23 #include <openssl/x509v3.h>
24 #include <openssl/objects.h>
25 #include <openssl/pem.h>
26 #include <openssl/bn.h>
27 #include <openssl/lhash.h>
28 #ifndef OPENSSL_NO_RSA
29 # include <openssl/rsa.h>
30 #endif
31 #ifndef OPENSSL_NO_DSA
32 # include <openssl/dsa.h>
33 #endif
34 
35 #define SECTION         "req"
36 
37 #define BITS            "default_bits"
38 #define KEYFILE         "default_keyfile"
39 #define PROMPT          "prompt"
40 #define DISTINGUISHED_NAME      "distinguished_name"
41 #define ATTRIBUTES      "attributes"
42 #define V3_EXTENSIONS   "x509_extensions"
43 #define REQ_EXTENSIONS  "req_extensions"
44 #define STRING_MASK     "string_mask"
45 #define UTF8_IN         "utf8"
46 
47 #define DEFAULT_KEY_LENGTH      2048
48 #define MIN_KEY_LENGTH          512
49 
50 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
51                     int attribs, unsigned long chtype);
52 static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype,
53                          int multirdn);
54 static int prompt_info(X509_REQ *req,
55                        STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
56                        STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
57                        int attribs, unsigned long chtype);
58 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk,
59                      STACK_OF(CONF_VALUE) *attr, int attribs,
60                      unsigned long chtype);
61 static int add_attribute_object(X509_REQ *req, char *text, const char *def,
62                                 char *value, int nid, int n_min, int n_max,
63                                 unsigned long chtype);
64 static int add_DN_object(X509_NAME *n, char *text, const char *def,
65                          char *value, int nid, int n_min, int n_max,
66                          unsigned long chtype, int mval);
67 static int genpkey_cb(EVP_PKEY_CTX *ctx);
68 static int build_data(char *text, const char *def,
69                       char *value, int n_min, int n_max,
70                       char *buf, const int buf_size,
71                       const char *desc1, const char *desc2
72                       );
73 static int req_check_len(int len, int n_min, int n_max);
74 static int check_end(const char *str, const char *end);
75 static int join(char buf[], size_t buf_size, const char *name,
76                 const char *tail, const char *desc);
77 static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
78                                     int *pkey_type, long *pkeylen,
79                                     char **palgnam, ENGINE *keygen_engine);
80 static CONF *req_conf = NULL;
81 static CONF *addext_conf = NULL;
82 static int batch = 0;
83 
84 typedef enum OPTION_choice {
85     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
86     OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
87     OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
88     OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY,
89     OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
90     OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
91     OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
92     OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS,
93     OPT_REQEXTS, OPT_PRECERT, OPT_MD,
94     OPT_R_ENUM
95 } OPTION_CHOICE;
96 
97 const OPTIONS req_options[] = {
98     {"help", OPT_HELP, '-', "Display this summary"},
99     {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
100     {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
101     {"in", OPT_IN, '<', "Input file"},
102     {"out", OPT_OUT, '>', "Output file"},
103     {"key", OPT_KEY, 's', "Private key to use"},
104     {"keyform", OPT_KEYFORM, 'f', "Key file format"},
105     {"pubkey", OPT_PUBKEY, '-', "Output public key"},
106     {"new", OPT_NEW, '-', "New request"},
107     {"config", OPT_CONFIG, '<', "Request template file"},
108     {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
109     {"passin", OPT_PASSIN, 's', "Private key password source"},
110     {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
111     OPT_R_OPTIONS,
112     {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
113     {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
114     {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
115     {"batch", OPT_BATCH, '-',
116      "Do not ask anything during request generation"},
117     {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
118     {"modulus", OPT_MODULUS, '-', "RSA modulus"},
119     {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
120     {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
121     {"noout", OPT_NOOUT, '-', "Do not output REQ"},
122     {"verbose", OPT_VERBOSE, '-', "Verbose output"},
123     {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
124     {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
125     {"reqopt", OPT_REQOPT, 's', "Various request text options"},
126     {"text", OPT_TEXT, '-', "Text form of request"},
127     {"x509", OPT_X509, '-',
128      "Output a x509 structure instead of a cert request"},
129     {OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
130     {"subj", OPT_SUBJ, 's', "Set or modify request subject"},
131     {"subject", OPT_SUBJECT, '-', "Output the request's subject"},
132     {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
133      "Enable support for multivalued RDNs"},
134     {"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
135     {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
136     {"addext", OPT_ADDEXT, 's',
137      "Additional cert extension key=value pair (may be given more than once)"},
138     {"extensions", OPT_EXTENSIONS, 's',
139      "Cert extension section (override value in config file)"},
140     {"reqexts", OPT_REQEXTS, 's',
141      "Request extension section (override value in config file)"},
142     {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
143     {"", OPT_MD, '-', "Any supported digest"},
144 #ifndef OPENSSL_NO_ENGINE
145     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
146     {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
147      "Specify engine to be used for key generation operations"},
148 #endif
149     {NULL}
150 };
151 
152 
153 /*
154  * An LHASH of strings, where each string is an extension name.
155  */
156 static unsigned long ext_name_hash(const OPENSSL_STRING *a)
157 {
158     return OPENSSL_LH_strhash((const char *)a);
159 }
160 
161 static int ext_name_cmp(const OPENSSL_STRING *a, const OPENSSL_STRING *b)
162 {
163     return strcmp((const char *)a, (const char *)b);
164 }
165 
166 static void exts_cleanup(OPENSSL_STRING *x)
167 {
168     OPENSSL_free((char *)x);
169 }
170 
171 /*
172  * Is the |kv| key already duplicated?  This is remarkably tricky to get
173  * right.  Return 0 if unique, -1 on runtime error; 1 if found or a syntax
174  * error.
175  */
176 static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv)
177 {
178     char *p;
179     size_t off;
180 
181     /* Check syntax. */
182     /* Skip leading whitespace, make a copy. */
183     while (*kv && isspace(*kv))
184         if (*++kv == '\0')
185             return 1;
186     if ((p = strchr(kv, '=')) == NULL)
187         return 1;
188     off = p - kv;
189     if ((kv = OPENSSL_strdup(kv)) == NULL)
190         return -1;
191 
192     /* Skip trailing space before the equal sign. */
193     for (p = kv + off; p > kv; --p)
194         if (!isspace(p[-1]))
195             break;
196     if (p == kv) {
197         OPENSSL_free(kv);
198         return 1;
199     }
200     *p = '\0';
201 
202     /* Finally have a clean "key"; see if it's there [by attempt to add it]. */
203     p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv);
204     if (p != NULL) {
205         OPENSSL_free(p);
206         return 1;
207     } else if (lh_OPENSSL_STRING_error(addexts)) {
208         OPENSSL_free(kv);
209         return -1;
210     }
211 
212     return 0;
213 }
214 
215 int req_main(int argc, char **argv)
216 {
217     ASN1_INTEGER *serial = NULL;
218     BIO *in = NULL, *out = NULL;
219     ENGINE *e = NULL, *gen_eng = NULL;
220     EVP_PKEY *pkey = NULL;
221     EVP_PKEY_CTX *genctx = NULL;
222     STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
223     LHASH_OF(OPENSSL_STRING) *addexts = NULL;
224     X509 *x509ss = NULL;
225     X509_REQ *req = NULL;
226     const EVP_CIPHER *cipher = NULL;
227     const EVP_MD *md_alg = NULL, *digest = NULL;
228     BIO *addext_bio = NULL;
229     char *extensions = NULL, *infile = NULL;
230     char *outfile = NULL, *keyfile = NULL;
231     char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
232     char *passin = NULL, *passout = NULL;
233     char *nofree_passin = NULL, *nofree_passout = NULL;
234     char *req_exts = NULL, *subj = NULL;
235     char *template = default_config_file, *keyout = NULL;
236     const char *keyalg = NULL;
237     OPTION_CHOICE o;
238     int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0;
239     int pkey_type = -1, private = 0;
240     int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
241     int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
242     int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
243     long newkey = -1;
244     unsigned long chtype = MBSTRING_ASC, reqflag = 0;
245 
246 #ifndef OPENSSL_NO_DES
247     cipher = EVP_des_ede3_cbc();
248 #endif
249 
250     prog = opt_init(argc, argv, req_options);
251     while ((o = opt_next()) != OPT_EOF) {
252         switch (o) {
253         case OPT_EOF:
254         case OPT_ERR:
255  opthelp:
256             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
257             goto end;
258         case OPT_HELP:
259             opt_help(req_options);
260             ret = 0;
261             goto end;
262         case OPT_INFORM:
263             if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
264                 goto opthelp;
265             break;
266         case OPT_OUTFORM:
267             if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
268                 goto opthelp;
269             break;
270         case OPT_ENGINE:
271             e = setup_engine(opt_arg(), 0);
272             break;
273         case OPT_KEYGEN_ENGINE:
274 #ifndef OPENSSL_NO_ENGINE
275             gen_eng = ENGINE_by_id(opt_arg());
276             if (gen_eng == NULL) {
277                 BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
278                 goto opthelp;
279             }
280 #endif
281             break;
282         case OPT_KEY:
283             keyfile = opt_arg();
284             break;
285         case OPT_PUBKEY:
286             pubkey = 1;
287             break;
288         case OPT_NEW:
289             newreq = 1;
290             break;
291         case OPT_CONFIG:
292             template = opt_arg();
293             break;
294         case OPT_KEYFORM:
295             if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
296                 goto opthelp;
297             break;
298         case OPT_IN:
299             infile = opt_arg();
300             break;
301         case OPT_OUT:
302             outfile = opt_arg();
303             break;
304         case OPT_KEYOUT:
305             keyout = opt_arg();
306             break;
307         case OPT_PASSIN:
308             passargin = opt_arg();
309             break;
310         case OPT_PASSOUT:
311             passargout = opt_arg();
312             break;
313         case OPT_R_CASES:
314             if (!opt_rand(o))
315                 goto end;
316             break;
317         case OPT_NEWKEY:
318             keyalg = opt_arg();
319             newreq = 1;
320             break;
321         case OPT_PKEYOPT:
322             if (!pkeyopts)
323                 pkeyopts = sk_OPENSSL_STRING_new_null();
324             if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg()))
325                 goto opthelp;
326             break;
327         case OPT_SIGOPT:
328             if (!sigopts)
329                 sigopts = sk_OPENSSL_STRING_new_null();
330             if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
331                 goto opthelp;
332             break;
333         case OPT_BATCH:
334             batch = 1;
335             break;
336         case OPT_NEWHDR:
337             newhdr = 1;
338             break;
339         case OPT_MODULUS:
340             modulus = 1;
341             break;
342         case OPT_VERIFY:
343             verify = 1;
344             break;
345         case OPT_NODES:
346             nodes = 1;
347             break;
348         case OPT_NOOUT:
349             noout = 1;
350             break;
351         case OPT_VERBOSE:
352             verbose = 1;
353             break;
354         case OPT_UTF8:
355             chtype = MBSTRING_UTF8;
356             break;
357         case OPT_NAMEOPT:
358             if (!set_nameopt(opt_arg()))
359                 goto opthelp;
360             break;
361         case OPT_REQOPT:
362             if (!set_cert_ex(&reqflag, opt_arg()))
363                 goto opthelp;
364             break;
365         case OPT_TEXT:
366             text = 1;
367             break;
368         case OPT_X509:
369             x509 = 1;
370             break;
371         case OPT_DAYS:
372             days = atoi(opt_arg());
373             break;
374         case OPT_SET_SERIAL:
375             if (serial != NULL) {
376                 BIO_printf(bio_err, "Serial number supplied twice\n");
377                 goto opthelp;
378             }
379             serial = s2i_ASN1_INTEGER(NULL, opt_arg());
380             if (serial == NULL)
381                 goto opthelp;
382             break;
383         case OPT_SUBJECT:
384             subject = 1;
385             break;
386         case OPT_SUBJ:
387             subj = opt_arg();
388             break;
389         case OPT_MULTIVALUE_RDN:
390             multirdn = 1;
391             break;
392         case OPT_ADDEXT:
393             p = opt_arg();
394             if (addexts == NULL) {
395                 addexts = lh_OPENSSL_STRING_new(ext_name_hash, ext_name_cmp);
396                 addext_bio = BIO_new(BIO_s_mem());
397                 if (addexts == NULL || addext_bio == NULL)
398                     goto end;
399             }
400             i = duplicated(addexts, p);
401             if (i == 1)
402                 goto opthelp;
403             if (i < 0 || BIO_printf(addext_bio, "%s\n", opt_arg()) < 0)
404                 goto end;
405             break;
406         case OPT_EXTENSIONS:
407             extensions = opt_arg();
408             break;
409         case OPT_REQEXTS:
410             req_exts = opt_arg();
411             break;
412         case OPT_PRECERT:
413             newreq = precert = 1;
414             break;
415         case OPT_MD:
416             if (!opt_md(opt_unknown(), &md_alg))
417                 goto opthelp;
418             digest = md_alg;
419             break;
420         }
421     }
422     argc = opt_num_rest();
423     if (argc != 0)
424         goto opthelp;
425 
426     if (days && !x509)
427         BIO_printf(bio_err, "Ignoring -days; not generating a certificate\n");
428     if (x509 && infile == NULL)
429         newreq = 1;
430 
431     /* TODO: simplify this as pkey is still always NULL here */
432     private = newreq && (pkey == NULL) ? 1 : 0;
433 
434     if (!app_passwd(passargin, passargout, &passin, &passout)) {
435         BIO_printf(bio_err, "Error getting passwords\n");
436         goto end;
437     }
438 
439     if (verbose)
440         BIO_printf(bio_err, "Using configuration from %s\n", template);
441     if ((req_conf = app_load_config(template)) == NULL)
442         goto end;
443     if (addext_bio) {
444         if (verbose)
445             BIO_printf(bio_err,
446                        "Using additional configuration from command line\n");
447         if ((addext_conf = app_load_config_bio(addext_bio, NULL)) == NULL)
448             goto end;
449     }
450     if (template != default_config_file && !app_load_modules(req_conf))
451         goto end;
452 
453     if (req_conf != NULL) {
454         p = NCONF_get_string(req_conf, NULL, "oid_file");
455         if (p == NULL)
456             ERR_clear_error();
457         if (p != NULL) {
458             BIO *oid_bio;
459 
460             oid_bio = BIO_new_file(p, "r");
461             if (oid_bio == NULL) {
462                 /*-
463                 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
464                 ERR_print_errors(bio_err);
465                 */
466             } else {
467                 OBJ_create_objects(oid_bio);
468                 BIO_free(oid_bio);
469             }
470         }
471     }
472     if (!add_oid_section(req_conf))
473         goto end;
474 
475     if (md_alg == NULL) {
476         p = NCONF_get_string(req_conf, SECTION, "default_md");
477         if (p == NULL) {
478             ERR_clear_error();
479         } else {
480             if (!opt_md(p, &md_alg))
481                 goto opthelp;
482             digest = md_alg;
483         }
484     }
485 
486     if (extensions == NULL) {
487         extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
488         if (extensions == NULL)
489             ERR_clear_error();
490     }
491     if (extensions != NULL) {
492         /* Check syntax of file */
493         X509V3_CTX ctx;
494         X509V3_set_ctx_test(&ctx);
495         X509V3_set_nconf(&ctx, req_conf);
496         if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) {
497             BIO_printf(bio_err,
498                        "Error Loading extension section %s\n", extensions);
499             goto end;
500         }
501     }
502     if (addext_conf != NULL) {
503         /* Check syntax of command line extensions */
504         X509V3_CTX ctx;
505         X509V3_set_ctx_test(&ctx);
506         X509V3_set_nconf(&ctx, addext_conf);
507         if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) {
508             BIO_printf(bio_err, "Error Loading command line extensions\n");
509             goto end;
510         }
511     }
512 
513     if (passin == NULL) {
514         passin = nofree_passin =
515             NCONF_get_string(req_conf, SECTION, "input_password");
516         if (passin == NULL)
517             ERR_clear_error();
518     }
519 
520     if (passout == NULL) {
521         passout = nofree_passout =
522             NCONF_get_string(req_conf, SECTION, "output_password");
523         if (passout == NULL)
524             ERR_clear_error();
525     }
526 
527     p = NCONF_get_string(req_conf, SECTION, STRING_MASK);
528     if (p == NULL)
529         ERR_clear_error();
530 
531     if (p != NULL && !ASN1_STRING_set_default_mask_asc(p)) {
532         BIO_printf(bio_err, "Invalid global string mask setting %s\n", p);
533         goto end;
534     }
535 
536     if (chtype != MBSTRING_UTF8) {
537         p = NCONF_get_string(req_conf, SECTION, UTF8_IN);
538         if (p == NULL)
539             ERR_clear_error();
540         else if (strcmp(p, "yes") == 0)
541             chtype = MBSTRING_UTF8;
542     }
543 
544     if (req_exts == NULL) {
545         req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS);
546         if (req_exts == NULL)
547             ERR_clear_error();
548     }
549     if (req_exts != NULL) {
550         /* Check syntax of file */
551         X509V3_CTX ctx;
552         X509V3_set_ctx_test(&ctx);
553         X509V3_set_nconf(&ctx, req_conf);
554         if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) {
555             BIO_printf(bio_err,
556                        "Error Loading request extension section %s\n",
557                        req_exts);
558             goto end;
559         }
560     }
561 
562     if (keyfile != NULL) {
563         pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
564         if (pkey == NULL) {
565             /* load_key() has already printed an appropriate message */
566             goto end;
567         } else {
568             app_RAND_load_conf(req_conf, SECTION);
569         }
570     }
571 
572     if (newreq && (pkey == NULL)) {
573         app_RAND_load_conf(req_conf, SECTION);
574 
575         if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) {
576             newkey = DEFAULT_KEY_LENGTH;
577         }
578 
579         if (keyalg != NULL) {
580             genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey,
581                                     &keyalgstr, gen_eng);
582             if (genctx == NULL)
583                 goto end;
584         }
585 
586         if (newkey < MIN_KEY_LENGTH
587             && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) {
588             BIO_printf(bio_err, "private key length is too short,\n");
589             BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n",
590                        MIN_KEY_LENGTH, newkey);
591             goto end;
592         }
593 
594         if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS)
595             BIO_printf(bio_err,
596                        "Warning: It is not recommended to use more than %d bit for RSA keys.\n"
597                        "         Your key size is %ld! Larger key size may behave not as expected.\n",
598                        OPENSSL_RSA_MAX_MODULUS_BITS, newkey);
599 
600 #ifndef OPENSSL_NO_DSA
601         if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS)
602             BIO_printf(bio_err,
603                        "Warning: It is not recommended to use more than %d bit for DSA keys.\n"
604                        "         Your key size is %ld! Larger key size may behave not as expected.\n",
605                        OPENSSL_DSA_MAX_MODULUS_BITS, newkey);
606 #endif
607 
608         if (genctx == NULL) {
609             genctx = set_keygen_ctx(NULL, &pkey_type, &newkey,
610                                     &keyalgstr, gen_eng);
611             if (!genctx)
612                 goto end;
613         }
614 
615         if (pkeyopts != NULL) {
616             char *genopt;
617             for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) {
618                 genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
619                 if (pkey_ctrl_string(genctx, genopt) <= 0) {
620                     BIO_printf(bio_err, "parameter error \"%s\"\n", genopt);
621                     ERR_print_errors(bio_err);
622                     goto end;
623                 }
624             }
625         }
626 
627         if (pkey_type == EVP_PKEY_EC) {
628             BIO_printf(bio_err, "Generating an EC private key\n");
629         } else {
630             BIO_printf(bio_err, "Generating a %s private key\n", keyalgstr);
631         }
632 
633         EVP_PKEY_CTX_set_cb(genctx, genpkey_cb);
634         EVP_PKEY_CTX_set_app_data(genctx, bio_err);
635 
636         if (EVP_PKEY_keygen(genctx, &pkey) <= 0) {
637             BIO_puts(bio_err, "Error Generating Key\n");
638             goto end;
639         }
640 
641         EVP_PKEY_CTX_free(genctx);
642         genctx = NULL;
643 
644         if (keyout == NULL) {
645             keyout = NCONF_get_string(req_conf, SECTION, KEYFILE);
646             if (keyout == NULL)
647                 ERR_clear_error();
648         }
649 
650         if (keyout == NULL)
651             BIO_printf(bio_err, "writing new private key to stdout\n");
652         else
653             BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
654         out = bio_open_owner(keyout, outformat, private);
655         if (out == NULL)
656             goto end;
657 
658         p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key");
659         if (p == NULL) {
660             ERR_clear_error();
661             p = NCONF_get_string(req_conf, SECTION, "encrypt_key");
662             if (p == NULL)
663                 ERR_clear_error();
664         }
665         if ((p != NULL) && (strcmp(p, "no") == 0))
666             cipher = NULL;
667         if (nodes)
668             cipher = NULL;
669 
670         i = 0;
671  loop:
672         assert(private);
673         if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
674                                       NULL, 0, NULL, passout)) {
675             if ((ERR_GET_REASON(ERR_peek_error()) ==
676                  PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) {
677                 ERR_clear_error();
678                 i++;
679                 goto loop;
680             }
681             goto end;
682         }
683         BIO_free(out);
684         out = NULL;
685         BIO_printf(bio_err, "-----\n");
686     }
687 
688     if (!newreq) {
689         in = bio_open_default(infile, 'r', informat);
690         if (in == NULL)
691             goto end;
692 
693         if (informat == FORMAT_ASN1)
694             req = d2i_X509_REQ_bio(in, NULL);
695         else
696             req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
697         if (req == NULL) {
698             BIO_printf(bio_err, "unable to load X509 request\n");
699             goto end;
700         }
701     }
702 
703     if (newreq || x509) {
704         if (pkey == NULL) {
705             BIO_printf(bio_err, "you need to specify a private key\n");
706             goto end;
707         }
708 
709         if (req == NULL) {
710             req = X509_REQ_new();
711             if (req == NULL) {
712                 goto end;
713             }
714 
715             i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
716             subj = NULL;        /* done processing '-subj' option */
717             if (!i) {
718                 BIO_printf(bio_err, "problems making Certificate Request\n");
719                 goto end;
720             }
721         }
722         if (x509) {
723             EVP_PKEY *tmppkey;
724             X509V3_CTX ext_ctx;
725             if ((x509ss = X509_new()) == NULL)
726                 goto end;
727 
728             /* Set version to V3 */
729             if ((extensions != NULL || addext_conf != NULL)
730                 && !X509_set_version(x509ss, 2))
731                 goto end;
732             if (serial != NULL) {
733                 if (!X509_set_serialNumber(x509ss, serial))
734                     goto end;
735             } else {
736                 if (!rand_serial(NULL, X509_get_serialNumber(x509ss)))
737                     goto end;
738             }
739 
740             if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
741                 goto end;
742             if (days == 0) {
743                 /* set default days if it's not specified */
744                 days = 30;
745             }
746             if (!set_cert_times(x509ss, NULL, NULL, days))
747                 goto end;
748             if (!X509_set_subject_name
749                 (x509ss, X509_REQ_get_subject_name(req)))
750                 goto end;
751             tmppkey = X509_REQ_get0_pubkey(req);
752             if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
753                 goto end;
754 
755             /* Set up V3 context struct */
756 
757             X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0);
758             X509V3_set_nconf(&ext_ctx, req_conf);
759 
760             /* Add extensions */
761             if (extensions != NULL && !X509V3_EXT_add_nconf(req_conf,
762                                                             &ext_ctx, extensions,
763                                                             x509ss)) {
764                 BIO_printf(bio_err, "Error Loading extension section %s\n",
765                            extensions);
766                 goto end;
767             }
768             if (addext_conf != NULL
769                 && !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default",
770                                          x509ss)) {
771                 BIO_printf(bio_err, "Error Loading command line extensions\n");
772                 goto end;
773             }
774 
775             /* If a pre-cert was requested, we need to add a poison extension */
776             if (precert) {
777                 if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0)
778                     != 1) {
779                     BIO_printf(bio_err, "Error adding poison extension\n");
780                     goto end;
781                 }
782             }
783 
784             i = do_X509_sign(x509ss, pkey, digest, sigopts);
785             if (!i) {
786                 ERR_print_errors(bio_err);
787                 goto end;
788             }
789         } else {
790             X509V3_CTX ext_ctx;
791 
792             /* Set up V3 context struct */
793 
794             X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
795             X509V3_set_nconf(&ext_ctx, req_conf);
796 
797             /* Add extensions */
798             if (req_exts != NULL
799                 && !X509V3_EXT_REQ_add_nconf(req_conf, &ext_ctx,
800                                              req_exts, req)) {
801                 BIO_printf(bio_err, "Error Loading extension section %s\n",
802                            req_exts);
803                 goto end;
804             }
805             if (addext_conf != NULL
806                 && !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default",
807                                              req)) {
808                 BIO_printf(bio_err, "Error Loading command line extensions\n");
809                 goto end;
810             }
811             i = do_X509_REQ_sign(req, pkey, digest, sigopts);
812             if (!i) {
813                 ERR_print_errors(bio_err);
814                 goto end;
815             }
816         }
817     }
818 
819     if (subj && x509) {
820         BIO_printf(bio_err, "Cannot modify certificate subject\n");
821         goto end;
822     }
823 
824     if (subj && !x509) {
825         if (verbose) {
826             BIO_printf(bio_err, "Modifying Request's Subject\n");
827             print_name(bio_err, "old subject=",
828                        X509_REQ_get_subject_name(req), get_nameopt());
829         }
830 
831         if (build_subject(req, subj, chtype, multirdn) == 0) {
832             BIO_printf(bio_err, "ERROR: cannot modify subject\n");
833             ret = 1;
834             goto end;
835         }
836 
837         if (verbose) {
838             print_name(bio_err, "new subject=",
839                        X509_REQ_get_subject_name(req), get_nameopt());
840         }
841     }
842 
843     if (verify && !x509) {
844         EVP_PKEY *tpubkey = pkey;
845 
846         if (tpubkey == NULL) {
847             tpubkey = X509_REQ_get0_pubkey(req);
848             if (tpubkey == NULL)
849                 goto end;
850         }
851 
852         i = X509_REQ_verify(req, tpubkey);
853 
854         if (i < 0) {
855             goto end;
856         } else if (i == 0) {
857             BIO_printf(bio_err, "verify failure\n");
858             ERR_print_errors(bio_err);
859         } else {                 /* if (i > 0) */
860             BIO_printf(bio_err, "verify OK\n");
861         }
862     }
863 
864     if (noout && !text && !modulus && !subject && !pubkey) {
865         ret = 0;
866         goto end;
867     }
868 
869     out = bio_open_default(outfile,
870                            keyout != NULL && outfile != NULL &&
871                            strcmp(keyout, outfile) == 0 ? 'a' : 'w',
872                            outformat);
873     if (out == NULL)
874         goto end;
875 
876     if (pubkey) {
877         EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req);
878 
879         if (tpubkey == NULL) {
880             BIO_printf(bio_err, "Error getting public key\n");
881             ERR_print_errors(bio_err);
882             goto end;
883         }
884         PEM_write_bio_PUBKEY(out, tpubkey);
885     }
886 
887     if (text) {
888         if (x509)
889             ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag);
890         else
891             ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
892 
893         if (ret == 0) {
894             if (x509)
895               BIO_printf(bio_err, "Error printing certificate\n");
896             else
897               BIO_printf(bio_err, "Error printing certificate request\n");
898 
899             ERR_print_errors(bio_err);
900             goto end;
901         }
902     }
903 
904     if (subject) {
905         if (x509)
906             print_name(out, "subject=", X509_get_subject_name(x509ss),
907                        get_nameopt());
908         else
909             print_name(out, "subject=", X509_REQ_get_subject_name(req),
910                        get_nameopt());
911     }
912 
913     if (modulus) {
914         EVP_PKEY *tpubkey;
915 
916         if (x509)
917             tpubkey = X509_get0_pubkey(x509ss);
918         else
919             tpubkey = X509_REQ_get0_pubkey(req);
920         if (tpubkey == NULL) {
921             fprintf(stdout, "Modulus=unavailable\n");
922             goto end;
923         }
924         fprintf(stdout, "Modulus=");
925 #ifndef OPENSSL_NO_RSA
926         if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) {
927             const BIGNUM *n;
928             RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL);
929             BN_print(out, n);
930         } else
931 #endif
932             fprintf(stdout, "Wrong Algorithm type");
933         fprintf(stdout, "\n");
934     }
935 
936     if (!noout && !x509) {
937         if (outformat == FORMAT_ASN1)
938             i = i2d_X509_REQ_bio(out, req);
939         else if (newhdr)
940             i = PEM_write_bio_X509_REQ_NEW(out, req);
941         else
942             i = PEM_write_bio_X509_REQ(out, req);
943         if (!i) {
944             BIO_printf(bio_err, "unable to write X509 request\n");
945             goto end;
946         }
947     }
948     if (!noout && x509 && (x509ss != NULL)) {
949         if (outformat == FORMAT_ASN1)
950             i = i2d_X509_bio(out, x509ss);
951         else
952             i = PEM_write_bio_X509(out, x509ss);
953         if (!i) {
954             BIO_printf(bio_err, "unable to write X509 certificate\n");
955             goto end;
956         }
957     }
958     ret = 0;
959  end:
960     if (ret) {
961         ERR_print_errors(bio_err);
962     }
963     NCONF_free(req_conf);
964     NCONF_free(addext_conf);
965     BIO_free(addext_bio);
966     BIO_free(in);
967     BIO_free_all(out);
968     EVP_PKEY_free(pkey);
969     EVP_PKEY_CTX_free(genctx);
970     sk_OPENSSL_STRING_free(pkeyopts);
971     sk_OPENSSL_STRING_free(sigopts);
972     lh_OPENSSL_STRING_doall(addexts, exts_cleanup);
973     lh_OPENSSL_STRING_free(addexts);
974 #ifndef OPENSSL_NO_ENGINE
975     ENGINE_free(gen_eng);
976 #endif
977     OPENSSL_free(keyalgstr);
978     X509_REQ_free(req);
979     X509_free(x509ss);
980     ASN1_INTEGER_free(serial);
981     release_engine(e);
982     if (passin != nofree_passin)
983         OPENSSL_free(passin);
984     if (passout != nofree_passout)
985         OPENSSL_free(passout);
986     return ret;
987 }
988 
989 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
990                     int attribs, unsigned long chtype)
991 {
992     int ret = 0, i;
993     char no_prompt = 0;
994     STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL;
995     char *tmp, *dn_sect, *attr_sect;
996 
997     tmp = NCONF_get_string(req_conf, SECTION, PROMPT);
998     if (tmp == NULL)
999         ERR_clear_error();
1000     if ((tmp != NULL) && strcmp(tmp, "no") == 0)
1001         no_prompt = 1;
1002 
1003     dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME);
1004     if (dn_sect == NULL) {
1005         BIO_printf(bio_err, "unable to find '%s' in config\n",
1006                    DISTINGUISHED_NAME);
1007         goto err;
1008     }
1009     dn_sk = NCONF_get_section(req_conf, dn_sect);
1010     if (dn_sk == NULL) {
1011         BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect);
1012         goto err;
1013     }
1014 
1015     attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES);
1016     if (attr_sect == NULL) {
1017         ERR_clear_error();
1018         attr_sk = NULL;
1019     } else {
1020         attr_sk = NCONF_get_section(req_conf, attr_sect);
1021         if (attr_sk == NULL) {
1022             BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect);
1023             goto err;
1024         }
1025     }
1026 
1027     /* setup version number */
1028     if (!X509_REQ_set_version(req, 0L))
1029         goto err;               /* version 1 */
1030 
1031     if (subj)
1032         i = build_subject(req, subj, chtype, multirdn);
1033     else if (no_prompt)
1034         i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
1035     else
1036         i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
1037                         chtype);
1038     if (!i)
1039         goto err;
1040 
1041     if (!X509_REQ_set_pubkey(req, pkey))
1042         goto err;
1043 
1044     ret = 1;
1045  err:
1046     return ret;
1047 }
1048 
1049 /*
1050  * subject is expected to be in the format /type0=value0/type1=value1/type2=...
1051  * where characters may be escaped by \
1052  */
1053 static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype,
1054                          int multirdn)
1055 {
1056     X509_NAME *n;
1057 
1058     if ((n = parse_name(subject, chtype, multirdn)) == NULL)
1059         return 0;
1060 
1061     if (!X509_REQ_set_subject_name(req, n)) {
1062         X509_NAME_free(n);
1063         return 0;
1064     }
1065     X509_NAME_free(n);
1066     return 1;
1067 }
1068 
1069 static int prompt_info(X509_REQ *req,
1070                        STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect,
1071                        STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect,
1072                        int attribs, unsigned long chtype)
1073 {
1074     int i;
1075     char *p, *q;
1076     char buf[100];
1077     int nid, mval;
1078     long n_min, n_max;
1079     char *type, *value;
1080     const char *def;
1081     CONF_VALUE *v;
1082     X509_NAME *subj;
1083     subj = X509_REQ_get_subject_name(req);
1084 
1085     if (!batch) {
1086         BIO_printf(bio_err,
1087                    "You are about to be asked to enter information that will be incorporated\n");
1088         BIO_printf(bio_err, "into your certificate request.\n");
1089         BIO_printf(bio_err,
1090                    "What you are about to enter is what is called a Distinguished Name or a DN.\n");
1091         BIO_printf(bio_err,
1092                    "There are quite a few fields but you can leave some blank\n");
1093         BIO_printf(bio_err,
1094                    "For some fields there will be a default value,\n");
1095         BIO_printf(bio_err,
1096                    "If you enter '.', the field will be left blank.\n");
1097         BIO_printf(bio_err, "-----\n");
1098     }
1099 
1100     if (sk_CONF_VALUE_num(dn_sk)) {
1101         i = -1;
1102  start:
1103         for ( ; ; ) {
1104             i++;
1105             if (sk_CONF_VALUE_num(dn_sk) <= i)
1106                 break;
1107 
1108             v = sk_CONF_VALUE_value(dn_sk, i);
1109             p = q = NULL;
1110             type = v->name;
1111             if (!check_end(type, "_min") || !check_end(type, "_max") ||
1112                 !check_end(type, "_default") || !check_end(type, "_value"))
1113                 continue;
1114             /*
1115              * Skip past any leading X. X: X, etc to allow for multiple
1116              * instances
1117              */
1118             for (p = v->name; *p; p++)
1119                 if ((*p == ':') || (*p == ',') || (*p == '.')) {
1120                     p++;
1121                     if (*p)
1122                         type = p;
1123                     break;
1124                 }
1125             if (*type == '+') {
1126                 mval = -1;
1127                 type++;
1128             } else {
1129                 mval = 0;
1130             }
1131             /* If OBJ not recognised ignore it */
1132             if ((nid = OBJ_txt2nid(type)) == NID_undef)
1133                 goto start;
1134             if (!join(buf, sizeof(buf), v->name, "_default", "Name"))
1135                 return 0;
1136             if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
1137                 ERR_clear_error();
1138                 def = "";
1139             }
1140 
1141             if (!join(buf, sizeof(buf), v->name, "_value", "Name"))
1142                 return 0;
1143             if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) {
1144                 ERR_clear_error();
1145                 value = NULL;
1146             }
1147 
1148             if (!join(buf, sizeof(buf), v->name, "_min", "Name"))
1149                 return 0;
1150             if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) {
1151                 ERR_clear_error();
1152                 n_min = -1;
1153             }
1154 
1155 
1156             if (!join(buf, sizeof(buf), v->name, "_max", "Name"))
1157                 return 0;
1158             if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) {
1159                 ERR_clear_error();
1160                 n_max = -1;
1161             }
1162 
1163             if (!add_DN_object(subj, v->value, def, value, nid,
1164                                n_min, n_max, chtype, mval))
1165                 return 0;
1166         }
1167         if (X509_NAME_entry_count(subj) == 0) {
1168             BIO_printf(bio_err,
1169                        "error, no objects specified in config file\n");
1170             return 0;
1171         }
1172 
1173         if (attribs) {
1174             if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0)
1175                 && (!batch)) {
1176                 BIO_printf(bio_err,
1177                            "\nPlease enter the following 'extra' attributes\n");
1178                 BIO_printf(bio_err,
1179                            "to be sent with your certificate request\n");
1180             }
1181 
1182             i = -1;
1183  start2:
1184             for ( ; ; ) {
1185                 i++;
1186                 if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i))
1187                     break;
1188 
1189                 v = sk_CONF_VALUE_value(attr_sk, i);
1190                 type = v->name;
1191                 if ((nid = OBJ_txt2nid(type)) == NID_undef)
1192                     goto start2;
1193 
1194                 if (!join(buf, sizeof(buf), type, "_default", "Name"))
1195                     return 0;
1196                 if ((def = NCONF_get_string(req_conf, attr_sect, buf))
1197                     == NULL) {
1198                     ERR_clear_error();
1199                     def = "";
1200                 }
1201 
1202                 if (!join(buf, sizeof(buf), type, "_value", "Name"))
1203                     return 0;
1204                 if ((value = NCONF_get_string(req_conf, attr_sect, buf))
1205                     == NULL) {
1206                     ERR_clear_error();
1207                     value = NULL;
1208                 }
1209 
1210                 if (!join(buf, sizeof(buf), type,"_min", "Name"))
1211                     return 0;
1212                 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) {
1213                     ERR_clear_error();
1214                     n_min = -1;
1215                 }
1216 
1217                 if (!join(buf, sizeof(buf), type, "_max", "Name"))
1218                     return 0;
1219                 if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) {
1220                     ERR_clear_error();
1221                     n_max = -1;
1222                 }
1223 
1224                 if (!add_attribute_object(req,
1225                                           v->value, def, value, nid, n_min,
1226                                           n_max, chtype))
1227                     return 0;
1228             }
1229         }
1230     } else {
1231         BIO_printf(bio_err, "No template, please set one up.\n");
1232         return 0;
1233     }
1234 
1235     return 1;
1236 
1237 }
1238 
1239 static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
1240                      STACK_OF(CONF_VALUE) *attr_sk, int attribs,
1241                      unsigned long chtype)
1242 {
1243     int i, spec_char, plus_char;
1244     char *p, *q;
1245     char *type;
1246     CONF_VALUE *v;
1247     X509_NAME *subj;
1248 
1249     subj = X509_REQ_get_subject_name(req);
1250 
1251     for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
1252         int mval;
1253         v = sk_CONF_VALUE_value(dn_sk, i);
1254         p = q = NULL;
1255         type = v->name;
1256         /*
1257          * Skip past any leading X. X: X, etc to allow for multiple instances
1258          */
1259         for (p = v->name; *p; p++) {
1260 #ifndef CHARSET_EBCDIC
1261             spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
1262 #else
1263             spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
1264                     || (*p == os_toascii['.']));
1265 #endif
1266             if (spec_char) {
1267                 p++;
1268                 if (*p)
1269                     type = p;
1270                 break;
1271             }
1272         }
1273 #ifndef CHARSET_EBCDIC
1274         plus_char = (*type == '+');
1275 #else
1276         plus_char = (*type == os_toascii['+']);
1277 #endif
1278         if (plus_char) {
1279             type++;
1280             mval = -1;
1281         } else {
1282             mval = 0;
1283         }
1284         if (!X509_NAME_add_entry_by_txt(subj, type, chtype,
1285                                         (unsigned char *)v->value, -1, -1,
1286                                         mval))
1287             return 0;
1288 
1289     }
1290 
1291     if (!X509_NAME_entry_count(subj)) {
1292         BIO_printf(bio_err, "error, no objects specified in config file\n");
1293         return 0;
1294     }
1295     if (attribs) {
1296         for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) {
1297             v = sk_CONF_VALUE_value(attr_sk, i);
1298             if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype,
1299                                            (unsigned char *)v->value, -1))
1300                 return 0;
1301         }
1302     }
1303     return 1;
1304 }
1305 
1306 static int add_DN_object(X509_NAME *n, char *text, const char *def,
1307                          char *value, int nid, int n_min, int n_max,
1308                          unsigned long chtype, int mval)
1309 {
1310     int ret = 0;
1311     char buf[1024];
1312 
1313     ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
1314                      "DN value", "DN default");
1315     if ((ret == 0) || (ret == 1))
1316         return ret;
1317     ret = 1;
1318 
1319     if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
1320                                     (unsigned char *)buf, -1, -1, mval))
1321         ret = 0;
1322 
1323     return ret;
1324 }
1325 
1326 static int add_attribute_object(X509_REQ *req, char *text, const char *def,
1327                                 char *value, int nid, int n_min,
1328                                 int n_max, unsigned long chtype)
1329 {
1330     int ret = 0;
1331     char buf[1024];
1332 
1333     ret = build_data(text, def, value, n_min, n_max, buf, sizeof(buf),
1334                      "Attribute value", "Attribute default");
1335     if ((ret == 0) || (ret == 1))
1336         return ret;
1337     ret = 1;
1338 
1339     if (!X509_REQ_add1_attr_by_NID(req, nid, chtype,
1340                                    (unsigned char *)buf, -1)) {
1341         BIO_printf(bio_err, "Error adding attribute\n");
1342         ERR_print_errors(bio_err);
1343         ret = 0;
1344     }
1345 
1346     return ret;
1347 }
1348 
1349 
1350 static int build_data(char *text, const char *def,
1351                          char *value, int n_min, int n_max,
1352                          char *buf, const int buf_size,
1353                          const char *desc1, const char *desc2
1354                          )
1355 {
1356     int i;
1357  start:
1358     if (!batch)
1359         BIO_printf(bio_err, "%s [%s]:", text, def);
1360     (void)BIO_flush(bio_err);
1361     if (value != NULL) {
1362         if (!join(buf, buf_size, value, "\n", desc1))
1363             return 0;
1364         BIO_printf(bio_err, "%s\n", value);
1365     } else {
1366         buf[0] = '\0';
1367         if (!batch) {
1368             if (!fgets(buf, buf_size, stdin))
1369                 return 0;
1370         } else {
1371             buf[0] = '\n';
1372             buf[1] = '\0';
1373         }
1374     }
1375 
1376     if (buf[0] == '\0')
1377         return 0;
1378     if (buf[0] == '\n') {
1379         if ((def == NULL) || (def[0] == '\0'))
1380             return 1;
1381         if (!join(buf, buf_size, def, "\n", desc2))
1382             return 0;
1383     } else if ((buf[0] == '.') && (buf[1] == '\n')) {
1384         return 1;
1385     }
1386 
1387     i = strlen(buf);
1388     if (buf[i - 1] != '\n') {
1389         BIO_printf(bio_err, "weird input :-(\n");
1390         return 0;
1391     }
1392     buf[--i] = '\0';
1393 #ifdef CHARSET_EBCDIC
1394     ebcdic2ascii(buf, buf, i);
1395 #endif
1396     if (!req_check_len(i, n_min, n_max)) {
1397         if (batch || value)
1398             return 0;
1399         goto start;
1400     }
1401     return 2;
1402 }
1403 
1404 static int req_check_len(int len, int n_min, int n_max)
1405 {
1406     if ((n_min > 0) && (len < n_min)) {
1407         BIO_printf(bio_err,
1408                    "string is too short, it needs to be at least %d bytes long\n",
1409                    n_min);
1410         return 0;
1411     }
1412     if ((n_max >= 0) && (len > n_max)) {
1413         BIO_printf(bio_err,
1414                    "string is too long, it needs to be no more than %d bytes long\n",
1415                    n_max);
1416         return 0;
1417     }
1418     return 1;
1419 }
1420 
1421 /* Check if the end of a string matches 'end' */
1422 static int check_end(const char *str, const char *end)
1423 {
1424     size_t elen, slen;
1425     const char *tmp;
1426 
1427     elen = strlen(end);
1428     slen = strlen(str);
1429     if (elen > slen)
1430         return 1;
1431     tmp = str + slen - elen;
1432     return strcmp(tmp, end);
1433 }
1434 
1435 /*
1436  * Merge the two strings together into the result buffer checking for
1437  * overflow and producing an error message if there is.
1438  */
1439 static int join(char buf[], size_t buf_size, const char *name,
1440                 const char *tail, const char *desc)
1441 {
1442     const size_t name_len = strlen(name), tail_len = strlen(tail);
1443 
1444     if (name_len + tail_len + 1 > buf_size) {
1445         BIO_printf(bio_err, "%s '%s' too long\n", desc, name);
1446         return 0;
1447     }
1448     memcpy(buf, name, name_len);
1449     memcpy(buf + name_len, tail, tail_len + 1);
1450     return 1;
1451 }
1452 
1453 static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
1454                                     int *pkey_type, long *pkeylen,
1455                                     char **palgnam, ENGINE *keygen_engine)
1456 {
1457     EVP_PKEY_CTX *gctx = NULL;
1458     EVP_PKEY *param = NULL;
1459     long keylen = -1;
1460     BIO *pbio = NULL;
1461     const char *paramfile = NULL;
1462 
1463     if (gstr == NULL) {
1464         *pkey_type = EVP_PKEY_RSA;
1465         keylen = *pkeylen;
1466     } else if (gstr[0] >= '0' && gstr[0] <= '9') {
1467         *pkey_type = EVP_PKEY_RSA;
1468         keylen = atol(gstr);
1469         *pkeylen = keylen;
1470     } else if (strncmp(gstr, "param:", 6) == 0) {
1471         paramfile = gstr + 6;
1472     } else {
1473         const char *p = strchr(gstr, ':');
1474         int len;
1475         ENGINE *tmpeng;
1476         const EVP_PKEY_ASN1_METHOD *ameth;
1477 
1478         if (p != NULL)
1479             len = p - gstr;
1480         else
1481             len = strlen(gstr);
1482         /*
1483          * The lookup of a the string will cover all engines so keep a note
1484          * of the implementation.
1485          */
1486 
1487         ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
1488 
1489         if (ameth == NULL) {
1490             BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr);
1491             return NULL;
1492         }
1493 
1494         EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
1495 #ifndef OPENSSL_NO_ENGINE
1496         ENGINE_finish(tmpeng);
1497 #endif
1498         if (*pkey_type == EVP_PKEY_RSA) {
1499             if (p != NULL) {
1500                 keylen = atol(p + 1);
1501                 *pkeylen = keylen;
1502             } else {
1503                 keylen = *pkeylen;
1504             }
1505         } else if (p != NULL) {
1506             paramfile = p + 1;
1507         }
1508     }
1509 
1510     if (paramfile != NULL) {
1511         pbio = BIO_new_file(paramfile, "r");
1512         if (pbio == NULL) {
1513             BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile);
1514             return NULL;
1515         }
1516         param = PEM_read_bio_Parameters(pbio, NULL);
1517 
1518         if (param == NULL) {
1519             X509 *x;
1520 
1521             (void)BIO_reset(pbio);
1522             x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
1523             if (x != NULL) {
1524                 param = X509_get_pubkey(x);
1525                 X509_free(x);
1526             }
1527         }
1528 
1529         BIO_free(pbio);
1530 
1531         if (param == NULL) {
1532             BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile);
1533             return NULL;
1534         }
1535         if (*pkey_type == -1) {
1536             *pkey_type = EVP_PKEY_id(param);
1537         } else if (*pkey_type != EVP_PKEY_base_id(param)) {
1538             BIO_printf(bio_err, "Key Type does not match parameters\n");
1539             EVP_PKEY_free(param);
1540             return NULL;
1541         }
1542     }
1543 
1544     if (palgnam != NULL) {
1545         const EVP_PKEY_ASN1_METHOD *ameth;
1546         ENGINE *tmpeng;
1547         const char *anam;
1548 
1549         ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
1550         if (ameth == NULL) {
1551             BIO_puts(bio_err, "Internal error: can't find key algorithm\n");
1552             return NULL;
1553         }
1554         EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
1555         *palgnam = OPENSSL_strdup(anam);
1556 #ifndef OPENSSL_NO_ENGINE
1557         ENGINE_finish(tmpeng);
1558 #endif
1559     }
1560 
1561     if (param != NULL) {
1562         gctx = EVP_PKEY_CTX_new(param, keygen_engine);
1563         *pkeylen = EVP_PKEY_bits(param);
1564         EVP_PKEY_free(param);
1565     } else {
1566         gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
1567     }
1568 
1569     if (gctx == NULL) {
1570         BIO_puts(bio_err, "Error allocating keygen context\n");
1571         ERR_print_errors(bio_err);
1572         return NULL;
1573     }
1574 
1575     if (EVP_PKEY_keygen_init(gctx) <= 0) {
1576         BIO_puts(bio_err, "Error initializing keygen context\n");
1577         ERR_print_errors(bio_err);
1578         EVP_PKEY_CTX_free(gctx);
1579         return NULL;
1580     }
1581 #ifndef OPENSSL_NO_RSA
1582     if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) {
1583         if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) {
1584             BIO_puts(bio_err, "Error setting RSA keysize\n");
1585             ERR_print_errors(bio_err);
1586             EVP_PKEY_CTX_free(gctx);
1587             return NULL;
1588         }
1589     }
1590 #endif
1591 
1592     return gctx;
1593 }
1594 
1595 static int genpkey_cb(EVP_PKEY_CTX *ctx)
1596 {
1597     char c = '*';
1598     BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
1599     int p;
1600     p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
1601     if (p == 0)
1602         c = '.';
1603     if (p == 1)
1604         c = '+';
1605     if (p == 2)
1606         c = '*';
1607     if (p == 3)
1608         c = '\n';
1609     BIO_write(b, &c, 1);
1610     (void)BIO_flush(b);
1611     return 1;
1612 }
1613 
1614 static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
1615                         const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
1616 {
1617     EVP_PKEY_CTX *pkctx = NULL;
1618     int i, def_nid;
1619 
1620     if (ctx == NULL)
1621         return 0;
1622     /*
1623      * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory
1624      * for this algorithm.
1625      */
1626     if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2
1627             && def_nid == NID_undef) {
1628         /* The signing algorithm requires there to be no digest */
1629         md = NULL;
1630     }
1631     if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
1632         return 0;
1633     for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
1634         char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
1635         if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
1636             BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
1637             ERR_print_errors(bio_err);
1638             return 0;
1639         }
1640     }
1641     return 1;
1642 }
1643 
1644 int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
1645                  STACK_OF(OPENSSL_STRING) *sigopts)
1646 {
1647     int rv;
1648     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1649 
1650     rv = do_sign_init(mctx, pkey, md, sigopts);
1651     if (rv > 0)
1652         rv = X509_sign_ctx(x, mctx);
1653     EVP_MD_CTX_free(mctx);
1654     return rv > 0 ? 1 : 0;
1655 }
1656 
1657 int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
1658                      STACK_OF(OPENSSL_STRING) *sigopts)
1659 {
1660     int rv;
1661     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1662     rv = do_sign_init(mctx, pkey, md, sigopts);
1663     if (rv > 0)
1664         rv = X509_REQ_sign_ctx(x, mctx);
1665     EVP_MD_CTX_free(mctx);
1666     return rv > 0 ? 1 : 0;
1667 }
1668 
1669 int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
1670                      STACK_OF(OPENSSL_STRING) *sigopts)
1671 {
1672     int rv;
1673     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
1674     rv = do_sign_init(mctx, pkey, md, sigopts);
1675     if (rv > 0)
1676         rv = X509_CRL_sign_ctx(x, mctx);
1677     EVP_MD_CTX_free(mctx);
1678     return rv > 0 ? 1 : 0;
1679 }
1680